Skip to main content

013 - Use AWS Secrets Manager for Secrets

Date: 2020-11-07

Status

✅ Accepted

Context

There is a need to store infrastructure secrets securely in the PTTP programme. Typical examples of secrets include API keys to reference external services, and AWS account IDs.

Decision

Use AWS Secrets Manager. - Aligned with MoJ Security Guidance - Compatible with AWS services e.g. CodePipelines - AWS Secrets Manager has the ability to automatically rotate secrets for AWS RDS access. AWS Secrets Manager has a higher cost than AWS SSM Parameter Store. - AWS Secrets Manager has a higher cost than AWS SSM Parameter Store.

Alternative Considerations:

HashiCorp Vault

HashiCorp Vault is an open-source secret management solution. In order to use it we would have to host and manage an instance of the service ourselves. The cost of hosting, as well as the time to ensure data has appropriate backups, gives this service a high maintenance cost and overhead.

This page was last reviewed on 7 November 2024. It needs to be reviewed again on 7 May 2025 by the page owner #nvvs-devops .
This page was set to be reviewed before 7 May 2025 by the page owner #nvvs-devops. This might mean the content is out of date.