< ciso
brief />
Tag Banner

All news with #aws secrets manager tag

23 articles

AWS Secrets Manager adds Paddle and GitLab support

πŸ” AWS Secrets Manager now supports managed external secrets for Paddle API Keys and GitLab Access Tokens. This feature enables automatic rotation of third-party credentials directly from AWS Secrets Manager, using Paddle's native rotation API and GitLab's atomic rotation mechanism. Customers can rotate Paddle API keys with a configurable grace period and rotate GitLab Personal, Group, and Project Access Tokens. These integrations join existing partners and are available in all Regions where managed external secrets is supported.
read more β†’

Agent Toolkit Adds Secret Safety Skill for Agents

πŸ”’ AWS Secrets Manager introduces a secret safety skill in the aws-core plugin for the Agent Toolkit for AWS, enabling AI coding agents to use secrets without exposing values to models or session logs. The skill prevents models from requesting raw secret values and prompts developers to clarify intent while constructing commands that reference secrets. A child process resolves secret references at execution time, keeping plaintext secrets out of agent context and logs. The feature is available across supported agent harnesses and Regions where Secrets Manager is offered.
read more β†’

AWS Secrets Manager adds Datadog and Snowflake support

πŸ” AWS Secrets Manager now supports managed external secrets for Datadog vended keys and Snowflake Programmatic Access Tokens, enabling automatic rotation of third-party credentials directly within Secrets Manager. The update covers Datadog API keys, Application keys, and admin credential pairs for service accounts. For Snowflake, Secrets Manager can rotate Programmatic Access Tokens using Snowflake's native authentication and offers a configurable grace period to minimize disruption. These additions join existing integrations such as BigID, Confluent Cloud, MongoDB Atlas, and Salesforce and are available in all Regions where managed external secrets is supported.
read more β†’

Secrets Manager Agent Adds Pre-Fetching and Role Assumption

πŸ”’ The AWS Secrets Manager Agent now supports pre-fetching secrets at startup and assuming an IAM role for retrieval. With pre-fetching you can specify a list of secrets or a tag to retrieve and cache via BatchGetSecretValue, reducing application startup latency and API overhead. The agent can also assume a provided role ARN per pre-fetch or HTTP request to enable cross-account secret retrieval. These capabilities are available in all Regions where Secrets Manager is offered.
read more β†’

AWS Secrets Manager Enables Hybrid Post-Quantum TLS

πŸ” AWS Secrets Manager now prefers hybrid post-quantum TLS (ML‑KEM) for supported clients to reduce harvest-now, decrypt-later risk. Customers using the listed clients and SDK versions can get ML‑KEM key exchange without code changes; secrets at rest remain encrypted with AWS KMS and symmetric algorithms are considered quantum-resistant. Verify client negotiation via CloudTrail tlsDetails.keyExchange == X25519MLKEM768 and check SDK/OpenSSL requirements (for example, OpenSSL 3.5+ for Python). CRYSTALS‑Kyber support is being phased out in 2026, so upgrades are recommended to avoid fallback to traditional TLS.
read more β†’

AWS Secrets Manager Adds MongoDB and Confluent Support

πŸ” AWS Secrets Manager now supports managed external secrets for MongoDB Atlas and Confluent Cloud, enabling centralized secret storage and automatic rotation without building custom Lambda rotation functions. The MongoDB integration handles database user credentials (SCRAM) and service account OAuth client ID/secret; Confluent automates API key rotation for service accounts with cluster-scoped and cloud resource management keys. Automatic rotation is enabled by default to remove hardcoded credentials and reduce operational overhead.
read more β†’

AWS Secrets Manager Adds Hybrid Post‑Quantum TLS Support

πŸ” AWS Secrets Manager now supports hybrid post-quantum TLS key exchange using ML-KEM (a module-lattice-based KEM) to secure secret retrieval. The capability is automatically enabled in Secrets Manager Agent (v2.0.0+), Lambda Extension (v19+), and Secrets Manager CSI Driver (v2.0.0+); supported SDKs include Rust, Go, Node.js, Kotlin, Python (OpenSSL 3.5+), and Java v2 (v2.35.11+). No code or configuration changes are required for up-to-date clients except Java v2. You can verify hybrid key exchange in CloudTrail GetSecretValue events by checking the tlsDetails field for the X25519MLKEM768 algorithm.
read more β†’

AWS Secrets Manager Console Accepts Custom KMS ARNs

πŸ”’ The AWS Secrets Manager console now lets you enter a custom customer-managed AWS KMS key ARN when creating secrets. Previously, the console only presented keys from the current account in a dropdown. By accepting direct KMS key ARNs, the console now supports keys in other accounts and aligns with existing API capabilities. This change simplifies cross-account encryption workflows and offers more flexible key management across accounts.
read more β†’

AWS DataSync Adds Secrets Manager Support for All Locations

πŸ” AWS DataSync now integrates with AWS Secrets Manager for credential management across all DataSync location types, including HDFS and Amazon FSx variants. Customers can centralize secrets in their account and optionally encrypt them with a customer-managed AWS KMS key to meet governance requirements. DataSync supports providing a secret ARN you manage or having DataSync automatically create and manage secrets. This capability is available in the majority of AWS regions where DataSync is offered.
read more β†’

Amazon Bedrock AgentCore Browser Adds Proxy Support

πŸ”’ Amazon Bedrock AgentCore Browser now accepts customer-provided proxy configurations, allowing organizations to route browser sessions through corporate or regional proxy infrastructure for geo-targeting, compliance, and stable egress addresses. The feature supports both HTTP and HTTPS protocols and integrates with AWS Secrets Manager for secure credential management. It is available in all 14 regions where AgentCore Browser is offered.
read more β†’

AWS Secrets Manager adds flexible secret sorting options

πŸ“Œ AWS announced enhanced sorting for AWS Secrets Manager, enabling console and ListSecrets API users to sort secrets by name, last changed date, last accessed date, and creation date. The update expands the previous single-dimension creation-date sort to multiple dimensions, improving secret discovery, management, and operational workflows. The new sorting capabilities are available now in the Secrets Manager console and via the ListSecrets API across all AWS commercial and AWS GovCloud (US) Regions.
read more β†’

AWS Secrets Store CSI Driver Add-on for Amazon EKS

πŸ” This post introduces the AWS provider for the Secrets Store CSI Driver and the new Amazon EKS add-on that mounts Secrets Manager secrets and Systems Manager parameters as files in Kubernetes pods. The add-on simplifies installation compared with Helm or kubectl, supports EC2 and hybrid nodes, and includes security patches and FIPS endpoint options. The walkthrough covers prerequisites, creating a test secret, installing the add-on, configuring an IAM role and EKS Pod Identity association, deploying an example pod that mounts the secret at /mnt/secrets-store, validating retrieval, and cleaning up resources.
read more β†’

AWS Secrets Manager Introduces Managed External Secrets

πŸ” AWS Secrets Manager now supports managed external secrets, a new secret type that standardizes storage and enables automated rotation for third-party application credentials such as Salesforce, Snowflake, and BigID. The feature separates rotation metadata from secret values and integrates directly with providers to remove the need for custom rotation functions. It leverages existing IAM, CloudWatch, CloudTrail, GuardDuty, and KMS controls and follows standard Secrets Manager pricing with no additional charge.
read more β†’

Amazon EKS add-on: AWS Secrets Store CSI Driver Provider

πŸ” AWS has announced general availability of the Amazon EKS add-on for the AWS Secrets Store CSI Driver provider, enabling clusters to mount secrets from AWS Secrets Manager and parameters from AWS Systems Manager Parameter Store as files on Kubernetes workloads. The add-on installs and manages the AWS provider component and supports automated setup and lifecycle management for new and existing Amazon EKS clusters. It is available in all AWS commercial and AWS GovCloud (US) Regions.
read more β†’

AWS Secrets Manager: Managed External Secrets Launch

πŸ” AWS Secrets Manager introduces managed external secrets, a default-enabled feature that automates rotation for third-party SaaS credentials using provider-supported rotation strategies. The service removes the need to build and maintain rotation Lambda functions by enforcing a vendor-prescribed secret format and offering multiple rotation approaches. An onboarding guide enables any SaaS provider to join as a partner and publish prescriptive rotation guidance. At launch, the feature lists Salesforce, BigID, and Snowflake, and is available in all Regions where Secrets Manager operates.
read more β†’

Amazon FSx Integrates with AWS Secrets Manager for AD

πŸ”’ Amazon FSx now integrates with AWS Secrets Manager to store and manage Active Directory domain service account credentials for FSx for Windows File Server and FSx for NetApp ONTAP Storage Virtual Machines (SVMs). This removes the need to supply plain-text service account usernames and passwords in the console, APIs, CLI, or CloudFormation, and enables credential rotation and improved credential hygiene. The capability is available in all AWS Regions where FSx is offered.
read more β†’

Spike in Automated Botnet Attacks Targeting PHP, IoT

πŸ” Cybersecurity researchers warn of a sharp rise in automated botnet campaigns targeting PHP servers, IoT devices, and cloud gateways. The Qualys Threat Research Unit says Mirai, Gafgyt, Mozi and similar botnets are exploiting known CVEs, misconfigurations and exposed secrets to recruit vulnerable systems. Attackers leverage active debug interfaces (for example using '/?XDEBUG_SESSION_START=phpstorm'), scan from cloud providers to mask origin, and turn compromised routers and DVRs into residential proxies. Recommended mitigations include prompt patching, removing development tools from production, securing secrets with AWS Secrets Manager or HashiCorp Vault, and restricting public cloud access.
read more β†’

Choosing the Right AWS Service for Secrets and Configs

πŸ” AWS outlines when to use Secrets Manager, Systems Manager Parameter Store, and AWS AppConfig to manage credentials, configuration values, and feature flags. The guidance recommends Secrets Manager for sensitive credentials that need rotation and multi‑Region replication, Parameter Store for simple or high‑volume key/value data, and AppConfig for validated, controlled deployments. The post compares encryption, access controls, replication, monitoring, and pricing to help architects select the best fit.
read more β†’

CloudWatch Synthetics: Bundled Multi-Check Canaries

πŸ”§ Amazon CloudWatch Synthetics now offers bundled multi-check blueprints that let teams define comprehensive synthetic tests using a single JSON configuration file. A single canary can include up to 10 steps covering HTTP (with varied authentication), DNS, SSL certificate checks and TCP ports, and supports complex assertions on status, latency, headers and response body. Integration with AWS Secrets Manager secures credentials, while step-by-step results and console debugging simplify implementation compared with writing multiple custom canaries.
read more β†’

AWS PCS Adds Slurm Cluster Secret Rotation Support

πŸ” AWS Parallel Computing Service (PCS) now supports rotation of Slurm cluster secret keys using AWS Secrets Manager. Administrators can update the credentials used for authentication between the Slurm controller and compute nodes without recreating a cluster, preserving running workloads and configuration. Regular rotation reduces the risk of credential compromise and helps meet security best practices and compliance requirements. The capability is available in all Regions where PCS operates and can be initiated from the Secrets Manager console or via API after preparing the cluster for rotation.
read more β†’