Securing sensitive data by using AWS Secrets Manager and HashiCorp Terraform

Amazon Web Services (AWS)

January 2024 (document history)

Management of sensitive data, including credentials, secret strings, and passwords, is a recognized pillar of infrastructure management and application development and deployment. To help protect your organization, adopt best practices for managing sensitive data in the cloud. Protection of sensitive data is a prerequisite for security and compliance. AWS Secrets Manager can help secure sensitive data in your environment as secrets.

This guide reviews best practices for secrets, such as how to get secrets from Secrets Manager and how to use AWS Lambda to automatically rotate secrets for sensitive data. It also provides recommendations for how to manage and govern secrets by using hierarchical names. Finally, it helps you manage use of and access to secrets, such as centralization, Terraform integration, and networking considerations.

HashiCorp Terraform has been broadly adopted as an infrastructure as code (IaC) solution in the industry. However, Terraform shows sensitive data as plain text in its state file. This guide contains best practices for using Terraform to manage sensitive data and to create and use Secrets Manager secrets.

Intended audience

This guide is intended for organizations that want to use Terraform as an IaC solution. The best practices in this guide are designed to help database architects, infrastructure teams, and application developers. Familiarity with Terraform is a prerequisite for this guide.

Objectives

The following are the business outcomes you can expect to achieve after implementing the recommendations in this guide:

The following are the technical outcomes you can expect to achieve after implementing the recommendations in this guide: