Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Using an AWS Secrets Manager VPC endpoint

Focus mode

On this page

Using an AWS Secrets Manager VPC endpoint - AWS Secrets Manager

We recommend that you run as much of your infrastructure as possible on private networks that are not accessible from the public internet. You can establish a private connection between your VPC and Secrets Manager by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access Secrets Manager APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Secrets Manager APIs. Traffic between your VPC and Secrets Manager does not leave the AWS network. For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

When Secrets Manager rotates a secret by using a Lambda rotation function, for example a secret that contains database credentials, the Lambda function makes requests to both the database and Secrets Manager. When you turn on automatic rotation by using the console, Secrets Manager creates the Lambda function in the same VPC as your database. We recommend that you create a Secrets Manager endpoint in the same VPC so that requests from the Lambda rotation function to Secrets Manager don't leave the Amazon network.

If you enable private DNS for the endpoint, you can make API requests to Secrets Manager using its default DNS name for the Region, for example, secretsmanager.us-east-1.amazonaws.com. For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

You can make sure that requests to Secrets Manager come from the VPC access by including a condition in your permissions policies. For more information, see Example: Permissions and VPCs.

You can use AWS CloudTrail logs to audit your use of secrets through the VPC endpoint.

To create a VPC endpoint for Secrets Manager
  1. See Creating an interface endpoint in the Amazon VPC User Guide. Use the service name: com.amazonaws.region.secretsmanager.

  2. To control access to the endpoint, see Control access to VPC endpoints using endpoint policies.

  3. To use IPv6 and dual-stack addressing, see IPv4 and IPv6 access.

Shared subnets

You can't create, describe, modify, or delete VPC endpoints in subnets that are shared with you. However, you can use the VPC endpoints in subnets that are shared with you. For information about VPC sharing, see Share your VPC with other accounts in the Amazon Virtual Private Cloud User Guide.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.