Fastest way is setup CloudWatch Events based on any API call in CloudTrail KMS The value in KMS is that the CMK used to encrypt data can never be retrieved by the user, and the CMK can be rotated for extra security. Never ever store your secrets in plaintext, especially in your code ...