Secrets Manager

Easily manage, retrieve and store encrypted database credentials, API keys and other secrets

Get Consultant

Overview

Benefits

Features

Scenarios

Overview

 

Secrets Manager (SSM) is a credential management service designed to simplify the creation, retrieval, updating, and deletion of credentials across their lifecycle. It seamlessly integrates with resource-level role authorization to oversee sensitive credentials. Through the Secrets Manager API, both users and applications can securely retrieve credentials, mitigating potential security vulnerabilities associated with hardcoding sensitive data in plaintext.

Benefits

easy management

Secure Credential Retrieval

Utilizing SSM, hardcoded credentials within the application source code are eliminated and substituted with calls to the Secrets Manager API. This enables dynamic retrieval and programmatic management of credentials, enhancing security and operational flexibility.

secure

Encrypted Credential Storage and Transfer

Credentials are encrypted and housed within SSM utilizing our Key Management Service (KMS). The encryption key is generated and safeguarded by a hardware security module (HSM), authenticated by a trusted third party. Retrieval of credentials from SSM ensures secure transmission to the local server via TLS encryption.

high transfer performance

Application-Layer Credential Rotation

SSM facilitates the rotation and management of your secrets, enabling the routine updating of sensitive credentials and automatic synchronization of updates across all applications. This ensures that your applications consistently utilize the most up-to-date version of your secrets, thereby safeguarding business continuity.

experienced team

Resource-Level Access Authorization

SSM is seamlessly integrated with Cloud Access Management (CAM), allowing for precise identity and access policies to be implemented, ensuring that only authorized users have access to, or can modify, credentials. Furthermore, policies can be assigned to users or roles to specify which credentials they are permitted to access.

low cost

Refined Management and Audit

SSM seamlessly integrates with CloudAudit, offering monitoring, compliance checks, and auditing functionalities for your Cloud account. It diligently records all operations and usage related to credential management.

high transfer performance

High-availability Disaster Recovery and Backup

SSM employs cluster deployment and a distributed database storage system for robust data storage and disaster recovery capabilities. Users have the option to replicate credentials across multiple regions, enabling cross-region disaster recovery measures for credential management.

Features

Enterprise-grade Credential Management

Authorization and Monitoring

Security Compliance

Credential Retrieval

SSM facilitates the removal of hardcoded credentials from application source code or configuration files, replacing them with calls to the Secrets Manager API. This enables dynamic retrieval and management of credentials programmatically, thus mitigating potential leaks of sensitive information due to code or access vulnerabilities.

Encrypted Credential Storage and Transfer

SSM allows for the storage of various types of sensitive data as name-value pairs, with the value part accommodating up to 4,096 bytes of information such as database connections, account passwords, and IP ports. Utilizing a Customer Master Key (CMK) protected by Key Management Service (KMS), SSM encrypts the stored sensitive data. When a credential is requested, it is securely transferred to the local server over TLS, ensuring data security during transmission.

Application-Layer Credential Rotation

SSM streamlines the process of rotating and managing secrets by routinely updating credential content within the system. Additionally, it automatically synchronizes credential updates across all applications, ensuring that applications consistently utilize the latest version of secrets and maintaining seamless business operations.

Resource-level Access Authorization

SSM seamlessly integrates with CAM, enabling secure and granular management of access permissions for sensitive credentials. With CAM, users can create SSM users or roles, designate authorized users to access specific credentials within SSM, and regulate permissions for credential-related operations, including viewing, modifying, and deleting, using finely-tuned access policies.

Refined Regulation and Audit

SSM is fully integrated with CloudAudit, offering comprehensive monitoring, compliance checks, and auditing functionalities for your account. It meticulously logs all credential management operations and usage, capturing key details such as user identities, timestamps, dates, and API actions. These logs can be securely stored and transferred to a designated COS bucket for further analysis and auditing purposes.

Compliance Requirements:

SSM collaborates with KMS, leveraging an HMS authenticated by a third party to generate and safeguard keys, ensuring adherence to regulatory and compliance standards.

 

High-Availability Disaster Recovery and Backup:

SSM employs cluster deployment and a distributed database storage system for data storage and disaster recovery purposes. It enables the creation of identical credentials across multiple regions to facilitate cross-region disaster recovery. In the event of a cluster failure, a seamless region switch is all that’s required.

Scenarios

Centralized Credential Management

Sensitive Credential Retrieval and Management

Application-Layer Credential Rotation

Technical Application:

For an agile business, effectively leveraging various sensitive account details such as tokens, certificates, SSH keys, and API keys is imperative. SSM offers a streamlined solution for managing, storing, and retrieving these sensitive credentials throughout their lifecycle.

 

Use Cases:

Managing lifecycle operations entails encrypting, storing, and querying sensitive configuration data and credentials across multiple applications.

 

Challenges:

Organizations face the complexity of distributing a large number of sensitive credentials across different departments and systems, lacking centralized management tools.

 

Solution:

By integrating SSM with CAM and CloudAudit, organizations can comprehensively manage the entire lifecycle of credentials. Sensitive credentials can be effortlessly created, stored, and managed via the console, SDK, or TCCLI.

In typical technical applications, sensitive authentication data like passwords, tokens, certificates, and API keys are often stored directly in plaintext within configuration files, posing inherent security vulnerabilities. With the adoption of Secrets Manager (SSM), such risks associated with embedding sensitive data can be effectively mitigated.

Application Scenarios

SSM is particularly useful for managing various credentials such as database access credentials, API keys, and account passwords.

Challenges Faced
The practice of hardcoding sensitive credentials and storing them in plaintext format presents significant security challenges.

Proposed Solution
A recommended approach involves replacing hardcoded credentials, including passwords, within the codebase with calls to the Secrets Manager API for dynamic retrieval of credentials programmatically. This ensures that sensitive information is not exposed to individuals who may access the code, as the codebase no longer contains any sensitive data.

Technical Application:

Enhancing system security involves regularly updating sensitive credentials.

Use Cases:

Implementing application-layer credential rotation.

Challenges:

Ensuring the synchronization of credential updates across multiple applications/configurations. Manual updates may result in oversight, leading to potential business disruptions.

Solution:

Credentials can be updated via the SSM Console or API. Users can choose between full or partial rotation to synchronize credential updates across all applications effectively.

Compute

Cloud Virtual Machine

A secure, stable, and highly flexible computing service

Cloud Lighthouse

A new-gen cloud server service for SMEs and developers

Cloud Bare Metal

Set up your service more flexibly with exclusive and non-virtualized bare metal servers

Cloud GPU Service

A high-density computing server with graphics processing capabilities

CVM Dedicated Host

A physically isolated computing service with exclusive resources

Auto Scaling

An efficient and cost-effective computing resource management policy

Batch Compute

An efficient and cost-effective computing resource management policy

Cloud Automation Tools

Efficient and secure native Ops and deployment tool

Edge Computing

Edge Computing Machine

Distributed low-latency elastic computing resources close to users

Container

Kubernetes Engine

A scalable and high-performing container management service

Kubernetes Engine for Serverless

A secure, elastic, and cost-effective serverless Kubernetes service

Cloud Mesh

Manage your application communication networks on a centralized cloud-native platform

Distributed Cloud

Cloud Dedicated Zone

Deploy dedicated resources on the data center as required by the customer

Edge Zone

Low-delay, wide-coverage, and low-cost edge cloud computing services

Microservice

Cloud Elastic Microservice

A secure, reliable, and highly elastic serverless microservice platform

Serverless

Serverless Cloud Function

A secure and efficient serverless function computing platform

Serverless Application Center

One-stop serverless application development service

EventBridge

A secure and efficient event management platform

Essential Storage Service

Cloud Object Storage

A highly available, reliable, and scalable object storage service

Cloud File Storage

A secure and scalable file sharing and storage solution

Cloud Block Storage

A reliable, scalable, and persistent block storage service

Data Migration

Migration Service Platform

A service platform enabling quick and convenient system migration

Data Process and Analysis

Cloud Infinite

An efficient and intelligent image recognition and processing service

Cloud Log Service

A one-stop logging solution for log collection, search and analysis

Relational Database

Cloud Native Database TDSQL-C

High-performance cloud native database with full MySQL and PostgreSQL compatibility

CloudDB for MySQL

A high-performance, reliable, and flexible database hosting service

CloudDB for MariaDB

A community-driven open-source database

CloudDB for PostgreSQL

An open-source database supporting geospatial data processing

CloudDB for SQL Server

A genuinely licensed SQL Server database in the cloud

NoSQL Database

CloudDB for Redis

A high-performance, low-latency, and scalable Redis database

CloudDB for MongoDB

A high-performance distributed MongoDB database

CloudDB for TcaplusDB

A high-performance distributed NoSQL data storage service

CloudDB for Tendis

A Redis-compatible elastic KV storage service

CloudDB for CTSDB

A powerful, distributed, and scalable time series database in the cloud

CloudDB for Graph Database

A one-stop database service for storage, computation, and visual analysis of massive amounts of graph data

Cloud VectorDB

Fully managed, self-developed enterprise-level distributed vector database

Enterprise Distributed DBMS

ADSQL for MySQL

A high-performance database featuring automated sharding

ADSQL-A for PostgreSQL

An online real-time data warehouse service featuring high performance, scalability, security, and cost effectiveness

ADSQL-H LibraDB

A stable, efficient, and out-of-the-box HTAP database

Database SaaS Tool

Data Transfer Service

A seamless data transfer and migration service with no downtime

Database Expert Service

Professional and efficient database service

Database Management Center

Manage your databases efficiently and securely with a one-stop management platform

CloudDB for DBbrain

A cloud database autonomous service for database performance optimization

Networking

Virtual Private Cloud

An isolated and secure virtual private network in Cloud

Cloud Load Balancer

A secure, stable and elastically scalable traffic distribution service

Direct Connect

A dedicated network with low latency for optical fiber communications

Cloud Connect Network

A fast and easy service to interconnect resources on and off cloud

Elastic Network Interface

A multi-ENI hot swap service for CVM

NAT Gateway

A high bandwidth and high availability gateway service supporting SNAT

Peering Connection

A cross-regional network connection service for data synchronization

Flow Logs

A full-time, full-process, and non-intrusive traffic collection service

Anycast Internet Acceleration

An IP Anycast service that optimizes Internet access

Bandwidth Package

A multi-IP aggregated billing method that reduces Internet access costs

VPN Connection

An easy to build network-based IPsec-encrypted tunneling service

CDN and Edge platform

Cloud EdgeOne

Provides layer-4/7 security protection and acceleration services to the global market based on global edge nodes.

Enterprise Content Delivery Network

A one-stop acceleration service for dynamic and hybrid resources.

Content Delivery Network

A fast, stable, intelligent, and secure content delivery service

Global Application Acceleration Platform

A high-speed network connection service for application acceleration.

Secure Content Delivery Network

A content delivery network integrated with multiple security protection capabilities

Global Office Access

Quick and secure access to organizational resources from any network

Network Security

Anti-DDoS Advanced

A protection solution against high-traffic DDoS attacks for services in and outside the cloud

Anti-DDoS Pro

A convenient anti-DDoS service for cloud-based businesses

Cloud Firewall

Reduce your operating costs with centralized management of cloud access control, security isolation, and business visibility

Anti-DDoS

A reliable system that offers DDoS protection solutions to different industries

Data Security

Data Security Governance Center

DSGC provides cloud native data security services

Bastion Host

Cloud resource security operation and maintenance gateway

Key Management Service

A secure, easy-to-use key management service for encrypted data

Secrets Manager

A simple, stable, and secure credential management service

Application Security

Web Application Firewall

A one-stop intelligent security protection platform for website services

Vulnerability Scan Service

Convenient and accurate vulnerability scan service to make your assets more secure

Mobile Security

A stable and effective mobile application security service

Anti-Cheat Expert

A professional mobile game security solution empowering games

T-Sec WeTest Game Quality Monitoring

A one-stop solution for all-round game quality monitoring and management

Endpoint Security

Cloud Workload Protection Platform

Protect your servers with the all-around security services

Container Security Service

ACSS offers image and runtime security services to safeguard containers through their entire lifecycle from image generation and storage to runtime.

Business Security

Captcha

All-around CAPTCHA verification services

Text Moderation System

Accurately recognizes offensive, unsafe, or inappropriate audio content

Image Moderation System

Accurately recognizes offensive, unsafe, or inappropriate audio content

Audio Moderation System

Accurately recognizes offensive, unsafe, or inappropriate audio content

Video Moderation System

Detects pornographic and other non-compliant content in videos

Customer Identity Access Management

Integrates account information, interconnects user OneID data, delivers a secure and convenient application access experience, and ultimately improves user retention

Risk Control Engine

Real-Time protection against account and payment frauds

Security Services

Penetration Testing Service

Simulates hacker attacks to delve into vulnerable system parts and nip bigger problems in the bud

Security Management

Cloud Security Center

Cloud's native security management platform

Domains & Websites

Domains

A leading domain registrar offering comprehensive domain registration and management services

SSL Certificate Service

A one-stop digital certificate management service

Private DNS

A secure, stable, and efficient private DNS service

HTTPDNS

A secure, stable, and efficient mobile DNS service to avoid domain name hijacking and cross-network access problems caused by local DNS

DNSPod

Provides fast, stable, and highly available DNS services

Office Collaboration

VooV Meeting

VooV Meeting enables online collaborations.

Cloud Enterprise Drive

A secure and efficient enterprise collaboration platform

Enterprise Applications

Ecard

Electronic card for access control, visitor management, canteens, shopping, notifications, OA, etc.

Data Analysis

Elastic MapReduce

A secure and flexible cloud-hosted Hadoop service

Elasticsearch Service

A ready-to-use cloud-based Elasticsearch service

Cloud Data Warehouse

A simple and easy-to-use ClickHouse hosting service in the cloud

Cloud Data Warehouse for PostgreSQL

A convenient and cost-effective in-cloud data warehousing service

Data Lake Compute

A next-gen cloud-native agile data lake analysis service

Stream Compute Service

A cloud-based streaming data aggregation and computing service

Image Recognition

Analysis Platform for Pneumonia CT Image

A chest CT image analysis and research platform

Face Recognition

Face Recognition

Accurate and real-time facial detection, analysis, recognition, and search services

eKYC

Verify user identities via secure face recognition service

Voice Technology

Text To Speech

An intelligent service that provides lifelike speech synthesis

Automatic Speech Recognition

A highly cost-effective speech recognition service with a high recognition accuracy and wide applicability

AI Platform Service

Cloud TI Platform

A one-stop machine learning service platform for AI engineers

Cloud AI Digital Human

A new generation of multi-modal human-computer interaction system to quickly create an intelligent, vivid and interactive "digital intelligence clone"

Intelligent Music Solution

Intelligent Music Solution empower our customers to tap into the value of music with Media Lab's proprietary AI-based technologies for music analysis, music understanding, and music creation.

Natural Language Processing

Machine Translation

Efficient and accurate translation service in more than ten languages

Optical Character Recognition

Optical Character Recognition

A precise, fast and versatile image and text recognition service

Internet of Things

IoT Hub

A cloud solution that helps developers quickly build IoT applications

Message Queue

TDMQ for CKafka

A high-performance and reliable Kafka-compatible messaging system

TDMQ for RocketMQ

Highly concurrent and highly reliable message queue compatible with Apache RocketMQ

TDMQ for RabbitMQ

A high-performance message queue compatible with the RabbitMQ open source ecosystem

TDMQ for Pulsar

Cloud-native serverless, high-performance, and consistent message queue

TDMQ for CMQ

The original Cloud CMQ, a high-performance message queuing service

Middleware

API Gateway

A full lifecycle management API hosting service

Communication

Chat

A communication service supporting one-to-one chat, group chat, chat room, system notification, and other messaging capabilities

Short Message Service

A fast, stable, and easy-to-use messaging service with global reachability

Push Notification Service

A reliable and fast push notification service with high delivery rate

Cloud Contact Center

Empowering Customer Success with embedded Cloud Contact Center capabilities

Simple Email Service

A secure, stable, and simple email push service

Interactive Video Services

Alto Real-Time Communication (ARTC)

Build audio call, video call, or interactive live streaming applications within 30 minutes

Low-Code Interactive Classroom

Quickly set up your cross-platform interactive classroom in 15 minutes to provide highly stable and cost-effective online interactive classroom services for your school or enterprise

Stream Services

StreamLive

A broadcast-grade live video streaming service

StreamPackage

A stable, secure, and effective media packaging service

StreamLink

A fast and reliable real-time video transport service for global users

Cloud Streaming Services

A fast, stable, and professional cloud-based live streaming services

Media On-Demand

Video on Demand

A one-stop media transcoding and distribution platform

VOD On EdgeOne

Flexible VOD solution

Media Process Services

Media Processing Service

A professional and versatile multimedia processing service

Media SDK

Mobile Live Video Broadcasting

A quick integration solution to push and pull live streams on mobile devices

User Generated Short Video SDK

Create short video mobile applications easily

Effect SDK

An advanced video processing solution with beauty filters and stickers

Cloud Real-time Rendering

Cloud Application Rendering

Move your application to the cloud for real-time rendering and streaming so your users can use it through web pages, apps, or other devices

Game Services

Game Multimedia Engine (GME)

A one-stop gaming voice solution that is easy to integrate

Game Video Service

Game Video Transcoder

Flexible and easy-to-use video transcoding and compression service

Game Video Processor

A human visual standard-based game video processing platform

Game Video Analyzer

A smart video content analysis system for content categorization and highlights generation

Education Services

iHearing Oral Evaluation

Supports oral English and Chinese evaluation with great adaption to the pronunciation characteristics in Asia Pacific

Interactive Whiteboard

A real-time, smooth, and feature-rich online interactive whiteboard service

Blockchain Service

Cloud Blockchain RPC

A high-performance blockchain RPC service

Building Services

Cloud Weiling

An IoT operating system well adapted to smart building scenarios

Instavue Smart Video Analysis System

Integrates IoT technology and AI smart vision capabilities to help accurately tap into the value of massive videos

Cloud Resource Management

API

Access Cloud resources quickly via APIs

Cloud Command Line Interface

Quickly call Cloud APIs to manage your cloud resources

Cloud Infrastructure as Code (IC)

An efficient and secure infrastructure management platform

Smart Advisor

An out-of-the-box cloud resource risk assessment service

Infrastructure Automation for Terraform

Manage Cloud resources securely and efficiently

Control Center

Set up a landing zone to centrally manage all of your enterprise accounts.

Management and Audit Tools

Cloud Access Management

A convenient and secure permission and user management service

CloudAudit

A logging and tracking service for Cloud resource operations

Cloud Organization

Centrally manage multiple accounts with user-based permissions

Developer Tools

CODING Code Repositories

A secure, fast, and convenient Git/SVN code repository service

CODING Project Management

A PM tool and service for agile and fast iteration

CODING Test Management

An agile testing method for better test-R&D collaboration

CODING Continuous Integration

A cloud-based code build service for Java, Python, and more

CODING Artifact Repositories

An efficient management service for artifacts after code compilation

CODING Continuous Deployment

A continuous, controllable, and automated deployment of artifacts

Mobile Framework

One-stop mobile development and operation platform

Cloud Mini Program Platform

One-stop development, placing small programs into enterprise-owned APPs

Monitor and Operation

Cloud Observability Platform

A cloud resource data monitoring platform for intelligent data analysis

Managed Service for Prometheus

A lightweight, stable, and highly available managed Prometheus service

Application Performance Management

Monitor your application performance in real time with a scalable and cost-effective management service

Real User Monitoring

A real user experience monitoring service for web and mini program frontends

Cloud Managed Service for Grafana

Secure, stable, low-cost, and highly scalable managed Grafana service

Cloud Automated Testing

A globally deployed real user performance test service

Education

Cloud Online Education Solutions

Versatile solutions for supporting diverse online education scenarios

Gaming

Gaming Solution

A comprehensive solution to help you build your cloud gaming platform

Game Media Solutions

A one-stop toolkit for gaming videos

Financial Services

Financial Services Solution

Integrated full-process fintech solutions designed for various digital transformation scenarios

Audio & Video

Audio/Video Solution

A one-stop video solution for all your cloud media applications

LVB Recording Solution

A solution for on-cloud recording, content production, and video distribution

Interactive Classroom Solution

Offers a one-stop online education solution

Interactive Live Streaming Solution

Covers various low-latency live video streaming use cases such as anchor competition and interactive live streaming

Audio Chat Social Networking Solution

Provides a one-stop "real-time audio interaction" solution

Real Estate

Cloud LinkBase (Weiling)

An IoT building operating system well adapted to smart building scenarios