diff --git a/packages/@aws-cdk/aws-secretsmanager/README.md b/packages/@aws-cdk/aws-secretsmanager/README.md
index fb3a61e920725..540cc9a7fa0be 100644
--- a/packages/@aws-cdk/aws-secretsmanager/README.md
+++ b/packages/@aws-cdk/aws-secretsmanager/README.md
@@ -44,8 +44,8 @@ A secret can set `RemovalPolicy`. If it set to `RETAIN`, that removing a secret
 ### Grant permission to use the secret to a role
 
 You must grant permission to a resource for that resource to be allowed to 
-use a secret. This can be achieved with the `Secret.grantRead` and/or 
-`Secret.grantWrite` method, depending on your need:
+use a secret. This can be achieved with the `Secret.grantRead` and/or `Secret.grantUpdate`
+ method, depending on your need:
 
 ```ts
 const role = new iam.Role(stack, 'SomeRole', { assumedBy: new iam.AccountRootPrincipal() });
diff --git a/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts b/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
index 91cf18a7a8229..c0abdd48832c8 100644
--- a/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
+++ b/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
@@ -42,7 +42,7 @@ export interface ISecret extends IResource {
   grantRead(grantee: iam.IGrantable, versionStages?: string[]): iam.Grant;
 
   /**
-   * Grants writing the secret value to some role.
+   * Grants writing and updating the secret value to some role.
    *
    * @param grantee       the principal being granted permission.
    */
@@ -166,7 +166,7 @@ abstract class SecretBase extends Resource implements ISecret {
     // See https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html
     const result = iam.Grant.addToPrincipal({
       grantee,
-      actions: ['secretsmanager:PutSecretValue'],
+      actions: ['secretsmanager:PutSecretValue', 'secretsmanager:UpdateSecret'],
       resourceArns: [this.secretArn],
       scope: this,
     });
diff --git a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
index 1b10443ff69e2..89767231ee750 100644
--- a/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
+++ b/packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
@@ -344,7 +344,10 @@ export = {
       PolicyDocument: {
         Version: '2012-10-17',
         Statement: [{
-          Action: 'secretsmanager:PutSecretValue',
+          Action: [
+            'secretsmanager:PutSecretValue',
+            'secretsmanager:UpdateSecret',
+          ],
           Effect: 'Allow',
           Resource: { Ref: 'SecretA720EF05' },
         }],
@@ -369,7 +372,10 @@ export = {
       PolicyDocument: {
         Version: '2012-10-17',
         Statement: [{
-          Action: 'secretsmanager:PutSecretValue',
+          Action: [
+            'secretsmanager:PutSecretValue',
+            'secretsmanager:UpdateSecret',
+          ],
           Effect: 'Allow',
           Resource: { Ref: 'SecretA720EF05' },
         }],