All news with #aws secrets manager tag

🔐 AWS Secrets Manager now supports managed external secrets for Datadog vended keys and Snowflake Programmatic Access Tokens, enabling automatic rotation of third-party credentials directly within Secrets Manager. The update covers Datadog API keys, Application keys, and admin credential pairs for service accounts. For Snowflake, Secrets Manager can rotate Programmatic Access Tokens using Snowflake's native authentication and offers a configurable grace period to minimize disruption. These additions join existing integrations such as BigID, Confluent Cloud, MongoDB Atlas, and Salesforce and are available in all Regions where managed external secrets is supported.

🔒 The AWS Secrets Manager Agent now supports pre-fetching secrets at startup and assuming an IAM role for retrieval. With pre-fetching you can specify a list of secrets or a tag to retrieve and cache via BatchGetSecretValue, reducing application startup latency and API overhead. The agent can also assume a provided role ARN per pre-fetch or HTTP request to enable cross-account secret retrieval. These capabilities are available in all Regions where Secrets Manager is offered.

🔐 AWS Secrets Manager now prefers hybrid post-quantum TLS (ML‑KEM) for supported clients to reduce harvest-now, decrypt-later risk. Customers using the listed clients and SDK versions can get ML‑KEM key exchange without code changes; secrets at rest remain encrypted with AWS KMS and symmetric algorithms are considered quantum-resistant. Verify client negotiation via CloudTrail tlsDetails.keyExchange == X25519MLKEM768 and check SDK/OpenSSL requirements (for example, OpenSSL 3.5+ for Python). CRYSTALS‑Kyber support is being phased out in 2026, so upgrades are recommended to avoid fallback to traditional TLS.

🔐 AWS Secrets Manager now supports managed external secrets for MongoDB Atlas and Confluent Cloud, enabling centralized secret storage and automatic rotation without building custom Lambda rotation functions. The MongoDB integration handles database user credentials (SCRAM) and service account OAuth client ID/secret; Confluent automates API key rotation for service accounts with cluster-scoped and cloud resource management keys. Automatic rotation is enabled by default to remove hardcoded credentials and reduce operational overhead.

🔐 AWS Secrets Manager now supports hybrid post-quantum TLS key exchange using ML-KEM (a module-lattice-based KEM) to secure secret retrieval. The capability is automatically enabled in Secrets Manager Agent (v2.0.0+), Lambda Extension (v19+), and Secrets Manager CSI Driver (v2.0.0+); supported SDKs include Rust, Go, Node.js, Kotlin, Python (OpenSSL 3.5+), and Java v2 (v2.35.11+). No code or configuration changes are required for up-to-date clients except Java v2. You can verify hybrid key exchange in CloudTrail GetSecretValue events by checking the tlsDetails field for the X25519MLKEM768 algorithm.

🔒 The AWS Secrets Manager console now lets you enter a custom customer-managed AWS KMS key ARN when creating secrets. Previously, the console only presented keys from the current account in a dropdown. By accepting direct KMS key ARNs, the console now supports keys in other accounts and aligns with existing API capabilities. This change simplifies cross-account encryption workflows and offers more flexible key management across accounts.

🔐 AWS DataSync now integrates with AWS Secrets Manager for credential management across all DataSync location types, including HDFS and Amazon FSx variants. Customers can centralize secrets in their account and optionally encrypt them with a customer-managed AWS KMS key to meet governance requirements. DataSync supports providing a secret ARN you manage or having DataSync automatically create and manage secrets. This capability is available in the majority of AWS regions where DataSync is offered.

🔒 Amazon Bedrock AgentCore Browser now accepts customer-provided proxy configurations, allowing organizations to route browser sessions through corporate or regional proxy infrastructure for geo-targeting, compliance, and stable egress addresses. The feature supports both HTTP and HTTPS protocols and integrates with AWS Secrets Manager for secure credential management. It is available in all 14 regions where AgentCore Browser is offered.

📌 AWS announced enhanced sorting for AWS Secrets Manager, enabling console and ListSecrets API users to sort secrets by name, last changed date, last accessed date, and creation date. The update expands the previous single-dimension creation-date sort to multiple dimensions, improving secret discovery, management, and operational workflows. The new sorting capabilities are available now in the Secrets Manager console and via the ListSecrets API across all AWS commercial and AWS GovCloud (US) Regions.

🔐 This post introduces the AWS provider for the Secrets Store CSI Driver and the new Amazon EKS add-on that mounts Secrets Manager secrets and Systems Manager parameters as files in Kubernetes pods. The add-on simplifies installation compared with Helm or kubectl, supports EC2 and hybrid nodes, and includes security patches and FIPS endpoint options. The walkthrough covers prerequisites, creating a test secret, installing the add-on, configuring an IAM role and EKS Pod Identity association, deploying an example pod that mounts the secret at /mnt/secrets-store, validating retrieval, and cleaning up resources.

🔐 AWS Secrets Manager now supports managed external secrets, a new secret type that standardizes storage and enables automated rotation for third-party application credentials such as Salesforce, Snowflake, and BigID. The feature separates rotation metadata from secret values and integrates directly with providers to remove the need for custom rotation functions. It leverages existing IAM, CloudWatch, CloudTrail, GuardDuty, and KMS controls and follows standard Secrets Manager pricing with no additional charge.

🔐 AWS has announced general availability of the Amazon EKS add-on for the AWS Secrets Store CSI Driver provider, enabling clusters to mount secrets from AWS Secrets Manager and parameters from AWS Systems Manager Parameter Store as files on Kubernetes workloads. The add-on installs and manages the AWS provider component and supports automated setup and lifecycle management for new and existing Amazon EKS clusters. It is available in all AWS commercial and AWS GovCloud (US) Regions.

🔐 AWS Secrets Manager introduces managed external secrets, a default-enabled feature that automates rotation for third-party SaaS credentials using provider-supported rotation strategies. The service removes the need to build and maintain rotation Lambda functions by enforcing a vendor-prescribed secret format and offering multiple rotation approaches. An onboarding guide enables any SaaS provider to join as a partner and publish prescriptive rotation guidance. At launch, the feature lists Salesforce, BigID, and Snowflake, and is available in all Regions where Secrets Manager operates.

🔒 Amazon FSx now integrates with AWS Secrets Manager to store and manage Active Directory domain service account credentials for FSx for Windows File Server and FSx for NetApp ONTAP Storage Virtual Machines (SVMs). This removes the need to supply plain-text service account usernames and passwords in the console, APIs, CLI, or CloudFormation, and enables credential rotation and improved credential hygiene. The capability is available in all AWS Regions where FSx is offered.

🔍 Cybersecurity researchers warn of a sharp rise in automated botnet campaigns targeting PHP servers, IoT devices, and cloud gateways. The Qualys Threat Research Unit says Mirai, Gafgyt, Mozi and similar botnets are exploiting known CVEs, misconfigurations and exposed secrets to recruit vulnerable systems. Attackers leverage active debug interfaces (for example using '/?XDEBUG_SESSION_START=phpstorm'), scan from cloud providers to mask origin, and turn compromised routers and DVRs into residential proxies. Recommended mitigations include prompt patching, removing development tools from production, securing secrets with AWS Secrets Manager or HashiCorp Vault, and restricting public cloud access.

🔐 AWS outlines when to use Secrets Manager, Systems Manager Parameter Store, and AWS AppConfig to manage credentials, configuration values, and feature flags. The guidance recommends Secrets Manager for sensitive credentials that need rotation and multi‑Region replication, Parameter Store for simple or high‑volume key/value data, and AppConfig for validated, controlled deployments. The post compares encryption, access controls, replication, monitoring, and pricing to help architects select the best fit.

🔧 Amazon CloudWatch Synthetics now offers bundled multi-check blueprints that let teams define comprehensive synthetic tests using a single JSON configuration file. A single canary can include up to 10 steps covering HTTP (with varied authentication), DNS, SSL certificate checks and TCP ports, and supports complex assertions on status, latency, headers and response body. Integration with AWS Secrets Manager secures credentials, while step-by-step results and console debugging simplify implementation compared with writing multiple custom canaries.

🔐 AWS Parallel Computing Service (PCS) now supports rotation of Slurm cluster secret keys using AWS Secrets Manager. Administrators can update the credentials used for authentication between the Slurm controller and compute nodes without recreating a cluster, preserving running workloads and configuration. Regular rotation reduces the risk of credential compromise and helps meet security best practices and compliance requirements. The capability is available in all Regions where PCS operates and can be initiated from the Secrets Manager console or via API after preparing the cluster for rotation.

🔒 This post demonstrates deploying the AWS Secrets Manager Agent as a sidecar container in Amazon EKS to provide a language-agnostic local HTTP interface (localhost:2773) for secrets retrieval. The agent pulls and caches secret values, reducing direct API calls to Secrets Manager and improving application availability. It enforces SSRF protection via a generated token at /var/run/awssmatoken and implements ML‑KEM post‑quantum key exchange by default. Authentication uses Amazon EKS Pod Identity and IAM permissions (secretsmanager:GetSecretValue and secretsmanager:DescribeSecret), and the post includes build, containerization, and deployment steps.

🔐 AWS Secrets Manager now supports AWS PrivateLink with all Secrets Manager Federal Information Processing Standard (FIPS) endpoints available in commercial AWS Regions and the AWS GovCloud (US) Regions. With this launch you can establish a private connection between your VPC and Secrets Manager FIPS endpoints instead of connecting over the public internet. This capability helps organizations meet compliance and regulatory requirements that limit public internet connectivity.