Application secrets can be stored in AWS Secrets Manager and injected as environment variables or files into running applications.
Secrets like encryption keys or API keys should be kept separate from configuration values like host name or time zone.
When storing application secrets:
Use a separate Secrets Manager secret for each service for which you need a secret value
Use a different secret value for each environment like staging and production
Don’t copy values between secrets - if secret values must be reused, store them centrally and allow access to the services which need them
Following these guidelines will limit the damage if secrets are partly disclosed and will make recovery from secret disclosure easier.
For more information on using Secrets Manager secrets, see Managing Secrets in the Deploy section.