Exploring common centralized and decentralized approaches to secrets management
Security Blog
This article explores centralized vs. decentralized approaches to secrets management on AWS across four key dimensions: creation, storage, rotation, and monitoring.
- Centralized creation uses golden paths and developer portals for consistent standards and security controls
- Decentralized creation offers speed and flexibility but risks inconsistent naming, tagging, and access control
- Centralized storage simplifies monitoring but adds operational overhead and KMS costs
- Decentralized storage leverages account boundaries and reduces cross-account complexity
- Centralized rotation enables reusable Lambda functions but requires cross-account permissions
- Decentralized rotation allows customization without cross-account access overhead
- Always centralize auditing and monitoring using Security Hub, Config, and IAM Access Analyzer
- Most organizations combine approaches based on security requirements, operational model, and scale
Organizations should choose hybrid approaches aligned with their specific needs, using automation and IaC to enforce consistent security controls across their secrets management architecture.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Aug 14
2024
2024
How to centrally manage secrets with AWS Secrets Manager
Aug 19
2024
2024
Making sense of secrets management on Amazon EKS for regulated institutions
Jun 9
2026
2026
Unified Secrets Security with GitGuardian and AWS Secrets Manager
May 27
2025
2025
AWS Secrets Manager announces support for cost allocation tags for secrets
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.