AWS Secrets Manager

Secrets Manager replication with Arpio

Arpio replicates your secrets stored in AWS Secrets Manager, ensuring that the correct secret values are available in your recovery environment so that software that relies on them can operate.  All of the details of your secrets are replicated, including the resource policy, current and historical versions of secrets, secret stages, and secret rotation configuration.

Arpio's secret replication differs from AWS's built-in multi-region secrets in 2 ways:

  • Arpio retains historical versions of your secrets, and restores the correct values from the point-in-time at which you're recovering.  In this way, if you roll back your environment to a week ago, you'll recover the secret values from a week ago.
  • Arpio's secret replication supports cross-account replication, so that you can recover your workloads to a different AWS account if your production account should be compromised.

By replicating secret values, you can be sure that your applications running in the recovery environment will have the credentials they need to communicate securely with other systems within and outside of your environment.

The following attributes are translated during replication:



Secret Value

If your secret's value conforms to one of the standard JSON secret structures, and Arpio is replicating the server referenced in that secret structure, Arpio will translate the 'host' field within that structure to reference the replicated server in the recovery environment.  

Further, if your secret structure specifies the 'masterarn' field, Arpio will also replicate the secret referenced by this field, and will update the value of the 'masterarn' field in the recovery environment.

Resource Policy

Arpio will replicate the resource policy, translating principals and resources referenced in the policy. 

Lambda Rotation Function

Arpio will replicate the Lambda function used for secret rotation.

The following resources are automatically included in your replication when a secret is selected:

  • Other secrets reference by the 'masterarn' field in the standard JSON secret structure
  • The Lambda function being used to rotate the secret value