Way to track manual rotations/key updates in AWS Secret Manager

Is there a way i can track aws secret manager ( when key/value have been updated by someone) not auto rotation?

• i also wonder if people keep encrypted copies of their secrets somewhere incase old values are needed ( someone changes a secret by mistake)

I guess an eventbridge event that does something useful (SNS => emails you) that listens to the appropriate cloudtrail event.

As for old values, check out the “Version” section of https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html

That’s good to know i can use the aws cli to get-secret-value and specify the version-id ( to retreive older secrets)

it looks like there is no event when a value changes https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieve-ct-entries.html

Why don’t you change a test secret and then manually check the contents of cloudtrail in the web console to see if anything is recorded. I would be surprised if there’s not, I’m sure this is an event that people would want to be able to track/identify

It looks to be the PutSecretValue event. Those docs say AWS CloudTrail records all API calls for Secrets Manager as events, including calls from the Secrets Manager console. CloudTrail also captures the following events, so the list on that page is not the only events it records, just the additional events