How do I audit secrets access?
Use AWS CloudTrail to log all GetSecretValue API calls. Regularly review who accessed secrets and when. Use Secrets Manager's built-in rotation tracking (LastRotatedDate). Set up CloudWatch alerts for unusual access patterns (e.g., access from unknown IPs).
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Production Secrets Management Strategy From .env to AWS Secrets Manager
Use AWS Secrets Manager for production (encrypted at rest, IAM-controlled, audit trail, auto-rotation). Use .env with restricted permissions (chmod 600) for staging. Use .env for development. Never commit any .env to Git. Rotate secrets regularly.
Support multiple JWT secrets during rotation: verify tokens with any of the old and new secrets, but sign new tokens with the new secret. After 7 days (token expiry), remove the old secret. Users with old tokens stay logged in until their token expires.
Export from Secrets Manager, encrypt with GPG (gpg --cipher-algo AES256), and store in an S3 bucket with KMS encryption. Store the GPG passphrase separately (e.g., in a password manager or separate KMS key). Test restoration periodically.
Still have questions?
Browse all our FAQs or reach out to our support team
