AWS Secrets Manager - Secrets Replication


AWS Secrets Manager helps you protect the secrets needed to access IT applications, services, and resources. The service allows you to easily switch, manage, and retrieve database credentials, API keys, and other secrets throughout its lifecycle. Users and applications regain secrets with a call to Secrets Manager APIs, which eliminates the need to encode sensitive information in plain text. It is essential that we be prepared for any failures, given the importance of a key stored in AWS Secrets Manager, it is crucial to have a replica of it across-region. This is what the following exercise will teach, replication of the secret key in more than one region.

Solution Overview

Secrets Manager Architecture


This exercise will show you the step-by-step to replicate your secret key (Secret) in AWS Secrets Manager from one source region to another within AWS.

Required knowledge:

  • Basic use of the AWS Console

By the end of this exercise, you will be able to:

  • Replicate AWS Secrets Manager Secrets Manager Cross-AWS Regions

Estimated Duration: 20 minutes

Approximate Cost: 1 USD


In this exercise, the following steps will be performed:

  1. Replicate the Secret to Another Region
  2. Find the Replicated Secret

NOTE: In this exercise, the key will be replicated from the primary region. Virginia for the secondary region Ohio, however, this same procedure can be performed in other regions.


Create a Secret

  1. Access the AWS Secrets Manager service:
  2. Click Store a new secret
  3. There are screen Store a new secret, select Other type of secrets. This type of secret is used when it doesn’t apply to a database.
  4. In the section Specify the key/value pairs to be stored in this secret, in the first field type MyFirstSecret, enter your secret in the second field.Secret - Create new secret
  5. Click Next
  6. Enter the name of the secret in the field Secret name
  7. Click Next
  8. In step 3, click Next
  9. In step 4 - Review, click Next

Replicating the Secret

  1. Locate the Secret Created in AWS Secrets Manager > Secrets looking

  2. Click the Secret you want to replicate to another region

  3. On the Selected Secret tab, click Replicate secret to other regions accessing

  4. On the tab Add replica regions, configure replication details. In the field AWS Region select the region Ohio replicating

  5. Click Complete adding region (s)

    You can add more than one region for replication by clicking **Add more regions**

Ready! You just replicated your Secret to another AWS region.

Viewing the result

  1. Select the region to which the Secret was replicated Ohio

  2. Find the Replicated Secret at AWS Secrets Manager > Secrets Secret Manager Replication

The Replicated Secret is associated with Primary Secret, to make it independent just click Promote to standalone secret

Cleaning up

  1. Access the AWS Secrets Manager Service in the Primary Region Virginia:
  2. Click the created key.
  3. In the section Replicate Secret, select Actions > Delete Replica Delete Replica
  4. On the screen Delete Replica confirm by typing the region in which the replica should be deleted us-east-2 and click Delete Replica.
  5. Go to the top of the page and click Action > Delete Secret.
  6. On the screen Disable secret and schedule deletion, confirm by clicking Schedule deletion


With this exercise you learned how to replicate secret keys (Secrets) to another region using the AWS Secrets Manager service. If any incidents occur, you can use the secret keys to access your resources in another AWS region.

Source: AWS Secrets Manager