All news with #aws secrets manager tag

Transfer Data Across AWS Partitions with Roles Anywhere

🔐 AWS outlines replacing cross-partition IAM user keys with IAM Roles Anywhere to securely transfer data between AWS partitions. The post explains partition isolation (Commercial, GovCloud, China), why long-lived access keys are discouraged, and how IAM Roles Anywhere uses X.509 certificates and temporary credentials. It also covers using an external CA or AWS Private CA to issue and manage certificates for workloads.

AWS Secrets Manager: Managed External Secrets Launch

🔐 AWS Secrets Manager introduces managed external secrets, a default-enabled feature that automates rotation for third-party SaaS credentials using provider-supported rotation strategies. The service removes the need to build and maintain rotation Lambda functions by enforcing a vendor-prescribed secret format and offering multiple rotation approaches. An onboarding guide enables any SaaS provider to join as a partner and publish prescriptive rotation guidance. At launch, the feature lists Salesforce, BigID, and Snowflake, and is available in all Regions where Secrets Manager operates.

Amazon FSx Integrates with AWS Secrets Manager for AD

🔒 Amazon FSx now integrates with AWS Secrets Manager to store and manage Active Directory domain service account credentials for FSx for Windows File Server and FSx for NetApp ONTAP Storage Virtual Machines (SVMs). This removes the need to supply plain-text service account usernames and passwords in the console, APIs, CLI, or CloudFormation, and enables credential rotation and improved credential hygiene. The capability is available in all AWS Regions where FSx is offered.

Choosing the Right AWS Service for Secrets and Configs

🔐 AWS outlines when to use Secrets Manager, Systems Manager Parameter Store, and AWS AppConfig to manage credentials, configuration values, and feature flags. The guidance recommends Secrets Manager for sensitive credentials that need rotation and multi‑Region replication, Parameter Store for simple or high‑volume key/value data, and AppConfig for validated, controlled deployments. The post compares encryption, access controls, replication, monitoring, and pricing to help architects select the best fit.

CloudWatch Synthetics: Bundled Multi-Check Canaries

🔧 Amazon CloudWatch Synthetics now offers bundled multi-check blueprints that let teams define comprehensive synthetic tests using a single JSON configuration file. A single canary can include up to 10 steps covering HTTP (with varied authentication), DNS, SSL certificate checks and TCP ports, and supports complex assertions on status, latency, headers and response body. Integration with AWS Secrets Manager secures credentials, while step-by-step results and console debugging simplify implementation compared with writing multiple custom canaries.

AWS PCS Adds Slurm Cluster Secret Rotation Support

🔐 AWS Parallel Computing Service (PCS) now supports rotation of Slurm cluster secret keys using AWS Secrets Manager. Administrators can update the credentials used for authentication between the Slurm controller and compute nodes without recreating a cluster, preserving running workloads and configuration. Regular rotation reduces the risk of credential compromise and helps meet security best practices and compliance requirements. The capability is available in all Regions where PCS operates and can be initiated from the Secrets Manager console or via API after preparing the cluster for rotation.

Deploying AWS Secrets Manager Agent as an EKS Sidecar

🔒 This post demonstrates deploying the AWS Secrets Manager Agent as a sidecar container in Amazon EKS to provide a language-agnostic local HTTP interface (localhost:2773) for secrets retrieval. The agent pulls and caches secret values, reducing direct API calls to Secrets Manager and improving application availability. It enforces SSRF protection via a generated token at /var/run/awssmatoken and implements ML‑KEM post‑quantum key exchange by default. Authentication uses Amazon EKS Pod Identity and IAM permissions (secretsmanager:GetSecretValue and secretsmanager:DescribeSecret), and the post includes build, containerization, and deployment steps.

Securing Amazon Bedrock API Keys: Best Practices Guidance

🔐 AWS details practical guidance for implementing and managing Amazon Bedrock API keys, the service-specific credentials that provide bearer-token access to Bedrock. It recommends STS temporary credentials when possible and defines two API key types: short-term (client-generated, auto-expiring) and long-term (IAM-user associated). Protection advice includes using SCPs, iam and bedrock condition keys, and storing long-term keys in secure vaults. Detection and monitoring use CloudTrail, EventBridge rules, and an AWS Config rule, and response steps show CLI commands to deactivate and delete compromised keys.

AgentCore Identity: Secure Identity for AI Agents at Scale

🔐 Amazon Bedrock AgentCore Identity centralizes and secures identities and credentials for AI agents, integrating with existing identity providers such as Amazon Cognito to avoid user migration and rework of authentication flows. It provides a token vault encrypted with AWS KMS, native AWS Secrets Manager support, and orchestrates OAuth 2.0 flows (2LO and 3LO). Declarative SDK annotations and built-in error handling simplify credential injection and refresh workflows, helping teams deploy agentic workloads securely at scale.

AWS Secrets Manager PrivateLink Support for FIPS Endpoints

🔐 AWS Secrets Manager now supports AWS PrivateLink with all Secrets Manager Federal Information Processing Standard (FIPS) endpoints available in commercial AWS Regions and the AWS GovCloud (US) Regions. With this launch you can establish a private connection between your VPC and Secrets Manager FIPS endpoints instead of connecting over the public internet. This capability helps organizations meet compliance and regulatory requirements that limit public internet connectivity.

Automating OIDC Client Secret Rotation for ALB on AWS

🔁 This AWS blog demonstrates how to automate OIDC client secret rotation for Application Load Balancer authentication using AWS Secrets Manager, AWS Lambda, and Amazon EventBridge. The solution securely stores IdP credentials (Auth0 in the example), schedules a Lambda handler to fetch and compare tokens, and updates Secrets Manager and ALB listener rules when changes occur. It reduces manual effort, limits plaintext credential exposure, and adds monitoring via CloudWatch alarms.

Amazon RDS Proxy Adds End-to-End IAM Authentication

🔐 Amazon RDS Proxy now supports end-to-end IAM authentication for Amazon Aurora and RDS database instances, allowing applications to authenticate through the proxy using AWS IAM without storing credentials in Secrets Manager. This reduces credential rotation overhead and simplifies credential management. The capability is available for MySQL and PostgreSQL in all Regions where RDS Proxy is supported.

Amazon EventBridge API Destinations Reach Melbourne Thailand

🔔 Amazon EventBridge now provides its API destinations capability in the AWS Asia Pacific (Melbourne) and AWS Asia Pacific (Thailand) Regions. API destinations allow event buses to invoke HTTPS endpoints as rule targets and support flexible authentication methods such as API key and OAuth, while storing credentials securely in AWS Secrets Manager. This expansion reduces call latency for local workloads and simplifies secure, managed integrations. To get started, consult the EventBridge documentation for configuration guidance.

Implementing Defense-in-Depth for AWS CodeBuild Pipelines

🔒 This guide consolidates practical recommendations for securing AWS CodeBuild CI/CD pipelines, emphasizing webhook configuration, trust boundaries, and least-privilege access. It warns against automatic pull request builds from untrusted contributors and prescribes push-based, branch-based, and contributor-filtered webhook patterns, plus staged rollout using Infrastructure as Code. Additional safeguards include scoped GitHub tokens, per-build IAM roles, isolated build environments, CloudTrail logging, and manual approval gates for sensitive deployments.

Automate Disabling AD Users from GuardDuty Findings

🔐 This AWS Security Blog post explains how to use Amazon GuardDuty to detect suspicious activity and automatically disable accounts in AWS Managed Microsoft AD. It walks through deploying a managed directory and a directory-administration EC2 instance, configuring AWS Systems Manager Run Command documents, and orchestrating those actions with AWS Step Functions triggered by Amazon EventBridge. The guide includes required permissions, testing steps using GuardDuty’s test domains, and notes on extending the automation to reset passwords or send notifications.