https://aws.amazon.com/kms/
You can limit access to the keys based on IAM instance profiles. So that only certain instances can access specific credentials.