AWS Secrets Cheatsheet

Top patterns.

Overview

The Secrets Manager CLI cheatsheet captures the patterns operators actually use during AWS secrets investigation. Rotation, encryption, and access control are the three concerns; getting all three right is the difference between "we have secrets management" and "we have working secrets management."

• Top patterns. get-secret-value, create-secret, put-secret-value, rotate-secret; the four investigation paths.
• Automated rotation. Lambda-driven secret rotation; reduces secret lifetime; reduces breach blast radius.
• Per-region replication. Cross-region secret replication; supports multi-region workloads without manual sync.
• Resource-based policy plus KMS encryption. Cross-account access via resource policy; per-secret KMS key for compliance-grade encryption.

The approach

The practical approach: rotation by default, IAM-controlled access, KMS-encrypted, per-secret policy documented. The team’s discipline produces secure secrets that survive audit.

• aws secretsmanager get-secret-value --secret-id mysecret. Read a secret; the canonical access path; cached at the SDK level.
• aws secretsmanager create-secret --name mysecret --secret-string ... Create the secret; matches CI workflows that bootstrap secrets at deploy time.
• aws secretsmanager rotate-secret --rotation-lambda-arn ... Schedule rotation; the operational primitive that reduces secret lifetime.
• aws secretsmanager describe-secret. Metadata only; safe to call broadly; supports investigation without exposing the value.
• Document the secret. Per-secret rotation policy committed to the repo; supports operational reviews and audit response.

Why this compounds

Secrets Manager fluency compounds across services. Each rotated secret reduces exposure; the team’s secrets posture matures; breach blast radius shrinks as adoption grows.

• Reduced credential exposure. Rotation reduces breach impact; a compromised secret is valid for hours, not years.
• Better audit trail. CloudTrail captures secret access; the audit log answers "who read this secret when?"
• Better incident response. Rotation supports compromised-credential response; the on-call rotates and moves on.
• Institutional knowledge. Each command teaches secrets patterns; the team’s identity engineering muscle grows.

Secrets Manager fluency is a security discipline that pays off across years. Nova AI Ops integrates with secrets telemetry, surfaces patterns, and supports the team’s identity discipline.