# Monitor AWS Secrets Manager secrets
AWS provides monitoring tools to watch Secrets Manager secrets, report when something is wrong, and take automatic actions when appropriate. You can use the logs if you need to investigate any unexpected usage or change, and then you can roll back unwanted changes. You can also set automated checks for inappropriate usage of secrets and any attempts to delete secrets.
**Topics**
+ [Log with AWS CloudTrail](monitoring-cloudtrail.md)
+ [Monitor with CloudWatch](monitoring-cloudwatch.md)
+ [Match Secrets Manager events with EventBridge](monitoring-eventbridge.md)
+ [Monitor secrets scheduled for deletion](monitoring_cloudwatch_deleted-secrets.md)
+ [Monitor secrets for compliance](configuring-awsconfig-rules.md)
+ [
# Monitor Secrets Manager costs
](monitor-secretsmanager-costs.md)
+ [Detect threats with GuardDuty](monitoring-guardduty.md)
# Log AWS Secrets Manager events with AWS CloudTrail
AWS CloudTrail records all API calls for Secrets Manager as events, including calls from the Secrets Manager console, as well as several other events for rotation and secret version deletion. For a list of the log entries in Secrets Manager records, see [CloudTrail entries](cloudtrail_log_entries.md).
You can use the CloudTrail console to view the last 90 days of recorded events. For an ongoing record of events in your AWS account, including events for Secrets Manager, create a trail so that CloudTrail delivers log files to an Amazon S3 bucket. See [Creating a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). You can also configure CloudTrail to receive CloudTrail log files from [multiple AWS accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html) and [AWS Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html).
You can configure other AWS services to further analyze and act upon the data collected in CloudTrail logs. See [AWS service integrations with CloudTrail logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations). You can also get notifications when CloudTrail publishes new log files to your Amazon S3 bucket. See [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html).
**To retrieve Secrets Manager events from CloudTrail logs (console)**
1. Open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. Ensure that the console points to the Region where your events occurred. The console shows only those events that occurred in the selected Region. Choose the Region from the drop-down list in the upper-right corner of the console.
1. In the left-hand navigation pane, choose **Event history**.
1. Choose **Filter** criteria and/or a **Time range** to help you find the event that you're looking for. For example:
1. To see all Secrets Manager events, for **Lookup attributes**, choose **Event source**. Then, for **Enter event source**, choose **secretsmanager.amazonaws.com**.
1. To see all events for a secret, for **Lookup attributes**, choose **Resource name**. Then, for **Enter a resource name**, enter the name of the secret.
1. To see additional details, choose the expand arrow next to the event. To see all of the information available, choose **View event**.
## AWS CLI
**Example Retrieve Secrets Manager events from CloudTrail logs**
The following [https://docs.aws.amazon.com//cli/latest/reference/cloudtrail/lookup-events.html](https://docs.aws.amazon.com//cli/latest/reference/cloudtrail/lookup-events.html) example looks up Secrets Manager events.
```
aws cloudtrail lookup-events \
--region us-east-1 \
--lookup-attributes AttributeKey=EventSource,AttributeValue=secretsmanager.amazonaws.com
```
# AWS CloudTrail entries for Secrets Manager
AWS Secrets Manager writes entries to your AWS CloudTrail log for all Secrets Manager operations and for other events related to rotation and deletion. For information about taking action on these events, see [Match Secrets Manager events with EventBridge](monitoring-eventbridge.md).
**Topics**
+ [
## Log entries for Secrets Manager operations
](#cloudtrail_log_entries_operations)
+ [
## Log entries for deletion
](#cloudtrail_log_entries_deletion)
+ [
## Log entries for replication
](#cloudtrail_log_entries_replication)
+ [
## Log entries for rotation
](#cloudtrail_log_entries_rotation)
## Log entries for Secrets Manager operations
Events that are generated by calls to Secrets Manager operations have `"detail-type": ["AWS API Call via CloudTrail"]`.
**Note**
Before February 2024, some Secrets Manager operations reported events that contained "aRN" instead of "arn" for the secret ARN. For more information, see [AWS re:Post](https://repost.aws/knowledge-center/secrets-manager-arn).
The following are CloudTrail entries generated when you or a service call Secrets Manager operations through the API, SDK, or CLI.
**BatchGetSecretValue**
Generated by the [BatchGetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html) operation. For information about retrieving secrets, see [Get secrets from AWS Secrets Manager](retrieving-secrets.md).
**CancelRotateSecret**
Generated by the [CancelRotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CancelRotateSecret.html) operation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**CreateSecret**
Generated by the [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html) operation. For information about creating secrets, see [Manage secrets with AWS Secrets Manager](managing-secrets.md).
**DeleteResourcePolicy**
Generated by the [DeleteResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteResourcePolicy.html) operation. For information about permissions, see [Authentication and access control for AWS Secrets Manager](auth-and-access.md).
**DeleteSecret**
Generated by the [DeleteSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html) operation. For information about deleting secrets, see [Delete an AWS Secrets Manager secret](manage_delete-secret.md).
**DescribeSecret**
Generated by the [DescribeSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html) operation.
**GetRandomPassword**
Generated by the [GetRandomPassword](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html) operation.
**GetResourcePolicy**
Generated by the [GetResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetResourcePolicy.html) operation. For information about permissions, see [Authentication and access control for AWS Secrets Manager](auth-and-access.md).
**GetSecretValue**
Generated by the [GetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) and [BatchGetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html) operations. For information about retrieving secrets, see [Get secrets from AWS Secrets Manager](retrieving-secrets.md).
**ListSecrets**
Generated by the [ListSecrets](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecrets.html) operation. For information about listing secrets, see [Find secrets in AWS Secrets Manager](manage_search-secret.md).
**ListSecretVersionIds**
Generated by the [ListSecretVersionIds](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecretVersionIds.html) operation.
**PutResourcePolicy**
Generated by the [PutResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutResourcePolicy.html) operation. For information about permissions, see [Authentication and access control for AWS Secrets Manager](auth-and-access.md).
**PutSecretValue**
Generated by the [PutSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutSecretValue.html) operation. For information about updating a secret, see [Modify an AWS Secrets Manager secret](manage_update-secret.md).
**RemoveRegionsFromReplication**
Generated by the [RemoveRegionsFromReplication](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RemoveRegionsFromReplication.html) operation. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**ReplicateSecretToRegions**
Generated by the [ReplicateSecretToRegions](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ReplicateSecretToRegions.html) operation. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**RestoreSecret**
Generated by the [RestoreSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RestoreSecret.html) operation. For information about restoring a deleted secret, see [Restore an AWS Secrets Manager secret](manage_restore-secret.md).
**RotateSecret**
Generated by the [RotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html) operation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**StopReplicationToReplica**
Generated by the [StopReplicationToReplica](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_StopReplicationToReplica.html) operation. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**TagResource**
Generated by the [TagResource](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_TagResource.html) operation. For information about tagging a secret, see [Tagging secrets in AWS Secrets Manager](managing-secrets_tagging.md).
**UntagResource**
Generated by the [UntagResource](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UntagResource.html) operation. For information about untagging a secret, see [Tagging secrets in AWS Secrets Manager](managing-secrets_tagging.md).
**UpdateSecret**
Generated by the [UpdateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UpdateSecret.html) operation. For information about updating a secret, see [Modify an AWS Secrets Manager secret](manage_update-secret.md).
**UpdateSecretVersionStage**
Generated by the [UpdateSecretVersionStage](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UpdateSecretVersionStage.html) operation. For information about version stages, see [Secret versions](whats-in-a-secret.md#term_version).
**ValidateResourcePolicy**
Generated by the [ValidateResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ValidateResourcePolicy.html) operation. For information about permissions, see [Authentication and access control for AWS Secrets Manager](auth-and-access.md).
## Log entries for deletion
In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to deletion. These events have `"detail-type": ["AWS Service Event via CloudTrail"]`.
**CancelSecretVersionDelete**
Generated by the Secrets Manager service. If you call `DeleteSecret` on a secret that has versions, and then later call `RestoreSecret`, Secrets Manager logs this event for each secret version that was restored. For information about restoring a deleted secret, see [Restore an AWS Secrets Manager secret](manage_restore-secret.md).
**EndSecretVersionDelete**
Generated by the Secrets Manager service when a secret version is deleted. For more information, see [Delete an AWS Secrets Manager secret](manage_delete-secret.md).
**StartSecretVersionDelete**
Generated by the Secrets Manager service when Secrets Manager starts deletion for a secret version. For information about deleting secrets, see [Delete an AWS Secrets Manager secret](manage_delete-secret.md).
**SecretVersionDeletion**
Generated by the Secrets Manager service when Secrets Manager deletes a deprecated secret version. For more information, see [Secret versions](whats-in-a-secret.md#term_version).
## Log entries for replication
In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to replication. These events have `"detail-type": ["AWS Service Event via CloudTrail"]`.
**ReplicationFailed**
Generated by the Secrets Manager service when replication fails. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**ReplicationStarted**
Generated by the Secrets Manager service when Secrets Manager starts replicating a secret. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**ReplicationSucceeded**
Generated by the Secrets Manager service when a secret is successfully replicated. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
## Log entries for rotation
In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to rotation. These events have `"detail-type": ["AWS Service Event via CloudTrail"]`.
**RotationStarted**
Generated by the Secrets Manager service when Secrets Manager starts rotating a secret. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**RotationAbandoned**
Generated by the Secrets Manager service when Secrets Manager abandons a rotation attempt and removes the `AWSPENDING` label from an existing version of a secret. Secrets Manager abandons rotation when you create a new version of a secret during rotation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**RotationFailed**
Generated by the Secrets Manager service when rotation fails. For information about rotation, see [Troubleshoot AWS Secrets Manager rotation](troubleshoot_rotation.md).
**RotationSucceeded**
Generated by the Secrets Manager service when a secret is successfully rotated. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**TestRotationStarted**
Generated by the Secrets Manager service when Secrets Manager starts testing rotation for a secret that is not scheduled for immediate rotation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**TestRotationSucceeded**
Generated by the Secrets Manager service when Secrets Manager successfully tests rotation for a secret that is not scheduled for immediate rotation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**TestRotationFailed**
Generated by the Secrets Manager service when Secrets Manager tests rotation for a secret that is not scheduled for immediate rotation and rotation failed. For information about rotation, see [Troubleshoot AWS Secrets Manager rotation](troubleshoot_rotation.md).
# Monitor AWS Secrets Manager with Amazon CloudWatch
Using Amazon CloudWatch, you can monitor AWS services and create alarms to let you know when metrics change. CloudWatch keeps these statistics for 15 months, so you can access historical information and gain a better perspective on how your web application or service is performing. For AWS Secrets Manager, you can monitor the number of secrets in your account, including secrets marked for deletion, and API calls to Secrets Manager, including calls made through the console. For information about how to monitor metrics, see [Use CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html) in the *CloudWatch User Guide*.
**To find Secrets Manager metrics**
1. On the CloudWatch console, under **Metrics**, choose **All metrics**.
1. In the **Metrics** search, box, enter `secret`.
1. Do the following:
+ To monitor the number of secrets in your account, choose **AWS/SecretsManager**, and then select **SecretCount**. This metric is published hourly.
+ To monitor API calls to Secrets Manager, including calls made through the console, choose **Usage > By AWS Resource**, and then select the API calls to monitor. For a list of Secrets Manager APIs, see [Secrets Manager operations](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_Operations.html).
1. Do the following:
+ To create a graph of the metric, see [Graphing metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/graph_metrics.html) in the *Amazon CloudWatch User Guide*.
+ To detect anomalies, see [Using CloudWatch anomaly detection](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Anomaly_Detection.html) in the *Amazon CloudWatch User Guide*.
+ To get statistics for a metric, see [Get statistics for a metric](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/getting-metric-statistics.html) in the *Amazon CloudWatch User Guide*.
## CloudWatch alarms
You can create a CloudWatch alarm that sends an Amazon SNS message when the value of a metric changes and causes the alarm to change state. You can set an alarm on the Secrets Manager metric `ResourceCount`, which is the number of secrets in your account. You can also set alarms on An alarm watches a metric over a time period you specify, and performs actions based on the value of the metric relative to a given threshold over a number of time periods. Alarms invoke actions for sustained state changes only. CloudWatch alarms do not invoke actions simply because they are in a particular state; the state must have changed and been maintained for a specified number of periods.
For more information, see [ Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) and [Create a CloudWatch alarm based on anomaly detection](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Create_Anomaly_Detection_Alarm.html) in the *CloudWatch User Guide*.
You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
# Match AWS Secrets Manager events with Amazon EventBridge
In Amazon EventBridge, you can match Secrets Manager events from CloudTrail log entries. You can configure EventBridge rules that look for these events and then send new generated events to a target to take action. For a list of CloudTrail entries that Secrets Manager logs, see [CloudTrail entries](cloudtrail_log_entries.md). For instructions to set up EventBridge, see [Getting started with EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html) in the *EventBridge User Guide*.
## Match all changes to a specified secret
**Note**
Because [some Secrets Manager events](cloudtrail_log_entries.md) return the ARN of the secret with different capitalization, in event patterns that match more than one action, to specify a secret by ARN, you may need to include both the keys `arn` and `aRN`. For more information, see [AWS re:Post](https://repost.aws/knowledge-center/secrets-manager-arn).
The following example shows an EventBridge event pattern that matches log entries for changes to a secret.
```
{
"source": ["aws.secretsmanager"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["secretsmanager.amazonaws.com"],
"eventName": ["DeleteResourcePolicy", "PutResourcePolicy", "RotateSecret", "TagResource", "UntagResource", "UpdateSecret"],
"responseElements": {
"arn": ["arn:aws:secretsmanager:us-west-2:012345678901:secret:mySecret-a1b2c3"]
}
}
}
```
## Match events when a secret value rotates
The following example shows an EventBridge event pattern that matches CloudTrail log entries for secret value changes that occur from manual updates or automatic rotation. Because some of these events are from Secrets Manager operations and some are generated by the Secrets Manager service, you must include the `detail-type` for both.
```
{
"source": ["aws.secretsmanager"],
"detail-type": [
"AWS API Call via CloudTrail",
"AWS Service Event via CloudTrail"
],
"detail": {
"eventSource": ["secretsmanager.amazonaws.com"],
"eventName": ["PutSecretValue", "UpdateSecret", "RotationSucceeded"]
}
}
```
# Monitor when AWS Secrets Manager secrets scheduled for deletion are accessed
You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of any attempts to access a secret pending deletion. If you receive a notification from an alarm, you might want to cancel deletion of the secret to give yourself more time to determine if you really want to delete it. Your investigation might result in the secret being restored because you still need the secret. Alternatively, you might need to update the user with details of the new secret to use.
The following procedures explain how to receive a notification when a request for the `GetSecretValue` operation that results in a specific error message written to your CloudTrail log files. Other API operations can be performed on the secret without triggering the alarm. This CloudWatch alarm detects usage that might indicate a person or application using outdated credentials.
Before you begin these procedures, you must turn on CloudTrail in the AWS Region and account where you intend to monitor AWS Secrets Manager API requests. For instructions, go to [Creating a trail for the first time](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *AWS CloudTrail User Guide*.
## Step 1: Configure CloudTrail log file delivery to CloudWatch Logs
You must configure delivery of your CloudTrail log files to CloudWatch Logs. You do this so CloudWatch Logs can monitor them for Secrets Manager API requests to retrieve a secret pending deletion.
**To configure CloudTrail log file delivery to CloudWatch Logs**
1. Open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. On the top navigation bar, choose the AWS Region to monitor secrets.
1. In the left navigation pane, choose **Trails**, and then choose the name of the trail to configure for CloudWatch.
1. On the **Trails Configuration** page, scroll down to the **CloudWatch Logs** section, and then choose the edit icon (![\[Remote control icon with power, volume, and channel buttons.\]](http://docs.aws.amazon.com/secretsmanager/latest/userguide/images/edit-pencil-icon.png)).
1. For **New or existing log group**, type a name for the log group, such as **CloudTrail/MyCloudWatchLogGroup**.
1. For **IAM role**, you can use the default role named **CloudTrail\$1CloudWatchLogs\$1Role**. This role has a default role policy with the required permissions to deliver CloudTrail events to the log group.
1. Choose **Continue** to save your configuration.
1. On the **AWS CloudTrail will deliver CloudTrail events associated with API activity in your account to your CloudWatch Logs log group** page, choose **Allow**.
## Step 2: Create the CloudWatch alarm
To receive a notification when a Secrets Manager `GetSecretValue` API operation requests to access a secret pending deletion, you must create a CloudWatch alarm and configure notification.
**To create a CloudWatch alarm**
1. Sign in to the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. On the top navigation bar, choose the AWS Region where you want to monitor secrets.
1. In the left navigation pane, choose **Logs**.
1. In the list of **Log Groups**, select the check box next to the log group you created in the previous procedure, such as **CloudTrail/MyCloudWatchLogGroup**. Then choose **Create Metric Filter**.
1. For **Filter Pattern**, type or paste the following:
```
{ $.eventName = "GetSecretValue" && $.errorMessage = "*secret because it was marked for deletion*" }
```
Choose **Assign Metric**.
1. On the **Create Metric Filter and Assign a Metric** page, do the following:
1. For **Metric Namespace**, type **CloudTrailLogMetrics**.
1. For **Metric Name**, type **AttemptsToAccessDeletedSecrets**.
1. Choose **Show advanced metric settings**, and then if necessary for **Metric Value**, type **1**.
1. Choose **Create Filter**.
1. In the filter box, choose **Create Alarm**.
1. In the **Create Alarm** window, do the following:
1. For **Name**, type **AttemptsToAccessDeletedSecretsAlarm**.
1. **Whenever:**, for **is:**, choose **>=**, and then type **1**.
1. Next to **Send notification to:**, do one of the following:
+ To create and use a new Amazon SNS topic, choose **New list**, and then type a new topic name. For **Email list:**, type at least one email address. You can type more than one email address by separating them with commas.
+ To use an existing Amazon SNS topic, choose the name of the topic to use. If a list doesn't exist, choose **Select list**.
1. Choose **Create Alarm**.
## Step 3: Test the CloudWatch alarm
To test your alarm, create a secret and then schedule it for deletion. Then, try to retrieve the secret value. You shortly receive an email at the address you configured in the alarm. It alerts you to the use of a secret scheduled for deletion.
# Monitor AWS Secrets Manager secrets for compliance by using AWS Config
You can use AWS Config to evaluate your secrets to see if they are in compliance with your standards. You define your internal security and compliance requirements for secrets using AWS Config rules. Then AWS Config can identify secrets that don't conform to your rules. You can also track changes to secret metadata, [rotation configuration](find-secrets-not-rotating.md), the KMS key used for secret encryption, the Lambda rotation function, and tags associated with a secret.
You can configure AWS Config to notify you of changes. For more information, see [Notifications that AWS Config sends to an Amazon SNS topic](https://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html).
If you have secrets in multiple AWS accounts and AWS Regions in your organization, you can aggregate that configuration and compliance data. For more information, see [Multi-account Multi-Region data aggregation](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html).
**To assess whether secrets are in compliance**
+ Follow the instructions on [Evaluating your resources with AWS Config rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluating-your-resources.html), and choose one of the following rules:
+ `[secretsmanager-secret-unused](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-unused.html)`— Checks whether secrets were accessed within the specified number of days.
+ `[secretsmanager-using-cmk](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html)` — Checks whether secrets are encrypted using the AWS managed key `aws/secretsmanager` or a customer managed key you created in AWS KMS.
+ `[secretsmanager-rotation-enabled-check](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html)` — Checks whether rotation is configured for secrets stored in Secrets Manager.
+ `[secretsmanager-scheduled-rotation-success-check](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-scheduled-rotation-success-check.html)`— Checks whether the last successful rotation is within the configured rotation frequency. The minimum frequency for the check is daily.
+ `[secretsmanager-secret-periodic-rotation](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-secret-periodic-rotation.html)`— Checks whether secrets were rotated within the specified number of days.
# Monitor Secrets Manager costs
You can use Amazon CloudWatch to monitor estimated AWS Secrets Manager charges. For more information, see [Creating a billing alarm to monitor your estimated AWS charges](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html) in the *CloudWatch User Guide*.
Another option for monitoring your costs is AWS Cost Anomaly Detection. For more information, see [Detecting unusual spend with AWS Cost Anomaly Detection](https://docs.aws.amazon.com/cost-management/latest/userguide/manage-ad.html) in the *AWS Cost Management User Guide*.
For information about monitoring your Secrets Manager usage, see [Monitor AWS Secrets Manager with Amazon CloudWatch](monitoring-cloudwatch.md) and [Log AWS Secrets Manager events with AWS CloudTrail](monitoring-cloudtrail.md).
For information about AWS Secrets Manager pricing, see [Pricing](intro.md#asm_pricing).
# Detect threats with Amazon GuardDuty
Amazon GuardDuty is a threat detection service that helps you protect your accounts, containers, workloads, and the data with your AWS environment. By using machine learning (ML) models and anomaly and threat detection capabilities, GuardDuty continuously monitors different log sources to identify and prioritize potential security risks and malicious activities in your environment. For example, GuardDuty will detect potential threats such as unusual or suspicious access to secrets, and credential exfiltration in case it detects credentials that were created exclusively for an Amazon EC2 instance through an instance launch role but are being used from another account within AWS. For more information, see the [Amazon GuardDuty User Guide](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html).
Another example use-case for detection is anomalous behavior. For example, if AWS Secrets Manager typically gets `create-secret`, `get-secret-value`, `describe-secret`, and `list-secrets` calls from an entity using the Java SDK, and then a different entity begins calling `batch-get-secret-value` and `get-secret-value` using the AWS CLI from outside of the VPN, GuardDuty can report a finding that the second entity is anomalously invoking APIs. For more information, see [GuardDuty IAM finding type CredentialAccess:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior).