diff --git a/src/main/java/uk/ac/ox/ctl/ltiauth/AwsKeyPairLoadingService.java b/src/main/java/uk/ac/ox/ctl/ltiauth/AwsKeyPairLoadingService.java
index e1c63c5..05c5d94 100644
--- a/src/main/java/uk/ac/ox/ctl/ltiauth/AwsKeyPairLoadingService.java
+++ b/src/main/java/uk/ac/ox/ctl/ltiauth/AwsKeyPairLoadingService.java
@@ -20,7 +20,7 @@
  * Service to generate a key pair from jks file in AWS Secrets Manager.
  */
 @Service
-@Profile("!local")
+@Profile("aws")
 @Lazy
 public class AwsKeyPairLoadingService implements KeyPairLoadingService {
 
diff --git a/src/main/java/uk/ac/ox/ctl/ltiauth/LocalKeyPairLoadingService.java b/src/main/java/uk/ac/ox/ctl/ltiauth/LocalKeyPairLoadingService.java
index d344f1d..b73a44a 100644
--- a/src/main/java/uk/ac/ox/ctl/ltiauth/LocalKeyPairLoadingService.java
+++ b/src/main/java/uk/ac/ox/ctl/ltiauth/LocalKeyPairLoadingService.java
@@ -19,7 +19,7 @@
  *  * Service to generate a key pair from a local jks file.
  */
 @Service
-@Profile("local")
+@Profile("!aws")
 @Lazy
 public class LocalKeyPairLoadingService implements KeyPairLoadingService {
 
diff --git a/src/main/resources/application-aws.properties b/src/main/resources/application-aws.properties
index 4cb71f3..123bc8c 100644
--- a/src/main/resources/application-aws.properties
+++ b/src/main/resources/application-aws.properties
@@ -21,4 +21,6 @@ server.servlet.session.cookie.secure=true
 
 # As we are proxying through nginx
 server.tomcat.remoteip.remote-ip-header=x-forwarded-for
-server.tomcat.remoteip.protocol-header=x-forwarded-proto
\ No newline at end of file
+server.tomcat.remoteip.protocol-header=x-forwarded-proto
+
+spring.cloud.aws.secretsmanager.enabled=true
\ No newline at end of file
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 21c54a7..7ccb9de 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -60,3 +60,6 @@ management.endpoint.health.show-components=always
 # expose sentry endpoint, health is exposed by default, but as we override the include we need to add it back in
 management.endpoints.web.exposure.include=health,sentry
 
+# disable by default
+spring.cloud.aws.secretsmanager.enabled=false
+
diff --git a/src/test/resources/application-test.properties b/src/test/resources/application-test.properties
index 245c3d8..9620f16 100644
--- a/src/test/resources/application-test.properties
+++ b/src/test/resources/application-test.properties
@@ -38,7 +38,4 @@ spring.security.oauth2.client.provider.canvas.token-uri=https://sso.canvaslms.co
 spring.security.oauth2.client.provider.canvas.jwk-set-uri=https://sso.canvaslms.com/api/lti/security/jwks
 spring.security.oauth2.client.provider.canvas.user-name-attribute=sub
 
-# Disable the secrets manager as we don't have any secrets in AWS when testing.
-spring.cloud.aws.secretsmanager.enabled=false
-
 spring.profiles.active=local