AWS re:Invent 2025 - Zero-Touch Secret Rotation, now available for your third-party secrets (SEC230)

AWS re:Invent 2025 - Zero-Touch Secret Rotation for Third-Party Secrets (SEC230)

Overview

• AWS Secrets Manager is extending its capabilities to natively manage and rotate not just AWS secrets, but also third-party or non-AWS secrets.
• This new feature, called "Manage External Secrets", addresses the challenges customers face in securely rotating and managing third-party secrets.

Customer Pain Points

• Manually managing third-party secrets, such as Salesforce API keys, is complex and error-prone.
• Customers have to build custom Lambda functions to rotate each third-party secret, which introduces operational overhead, security risks, and potential downtime.
• The lack of a centralized, automated solution for third-party secret management leads to inefficient manual processes and increased risk of business disruption.

Desired Capabilities

• Centralized onboarding and management of third-party credentials to enable self-service for application teams.
• Seamless, automated credential rotation to minimize business interruption.
• Secret replication across multiple regions to support geographically distributed applications.
• Comprehensive compliance and governance for secret rotation.

Introducing "Manage External Secrets"

• AWS Secrets Manager now integrates with select third-party services to natively manage and rotate their secrets.
• The initial launch includes integrations with three partner services, with more to come based on customer feedback.
• The integration process involves defining a predefined format and metadata for each third-party service, which is then used to seamlessly onboard and manage their secrets.

Key Features and Benefits

• Operational Efficiency: Streamlined secret onboarding and management, eliminating the need for custom Lambda functions.
• Automated Compliance: Automatic secret rotation based on defined policies, reducing the risk of manual errors and ensuring timely updates.
• Centralized Visibility: Unified oversight of both internal and external secrets, providing a comprehensive view of secret management.
• Improved Security: Removing the human element from secret handling, as the system, not individuals, manages the secrets.
• Reduced Downtime Risk: Automated rotation process ensures applications continue to function without interruption.

Demo Walkthrough

• The demo showcases the process of setting up a Salesforce secret in the "Manage External Secrets" console.
• The predefined format and metadata for the Salesforce secret are configured, allowing for seamless onboarding.
• Once the secret is created, it is automatically enabled for rotation, with the system handling the entire process behind the scenes.
• The demo highlights the versioning and "AWS Current" designation, ensuring the latest rotated secret is always available to the application.

Conclusion and Next Steps

• AWS is committed to expanding the "Manage External Secrets" feature to support more third-party service integrations based on customer feedback and demand.
• Customers interested in integrating additional third-party services are encouraged to reach out to their AWS Sales representatives or Technical Account Managers.
• Relevant technical documentation and resources are available for further exploration.