Configuration and Secrets
Secrets stored in AWS Secrets Manager cost $0.40 per secret per month, regardless of whether they are actively used. Over time, secrets created for decommissioned applications, rotated credentials that were never cleaned up, or one-off testing can accumulate into meaningful recurring charges.
Permissions Required:
secretsmanager:ListSecrets.AWS Doctor identifies secrets that have not been accessed within a configurable time window so you can clean them up.
Secrets Manager
Detection Logic
A secret is flagged as unused if it meets either of the following criteria:
- Never accessed: The
LastAccessedDatefield is null — the secret has never been retrieved since creation. - Stale: The
LastAccessedDateis older than the configured idle threshold (default: 90 days).
You can tune the idle threshold using the
--secrets-idle-days flag (e.g., --secrets-idle-days 60 to flag secrets not accessed in the last 60 days).Replica secrets (where
PrimaryRegion differs from the current region) are automatically skipped to avoid double-counting in multi-region setups.How to Run
To run the Secrets Manager waste detection individually:
aws-doctor waste secrets-managerRemediation
If a secret is flagged as unused:
- Verify: Confirm the secret is no longer referenced by any application, Lambda function, or CI/CD pipeline.
- Delete: Remove the secret via the AWS Console or CLI. Secrets Manager supports a recovery window (default 30 days) so deletion is reversible.
- Rotate: If the secret is still needed but was simply forgotten, consider enabling automatic rotation to keep it current.