diff --git a/lib/openstax/aws/secrets.rb b/lib/openstax/aws/secrets.rb
index ea0a986..33defe4 100644
--- a/lib/openstax/aws/secrets.rb
+++ b/lib/openstax/aws/secrets.rb
@@ -51,18 +51,18 @@ def create(specifications: nil, substitutions: nil)
     def update(specifications: nil, substitutions: nil, force_update_these: [])
       existing_secrets = data!
       built_secrets = build_secrets(specifications: specifications, substitutions: substitutions)
-      changed_secrets = self.class.changed_secrets(existing_secrets, built_secrets)
+      @changed_secrets = self.class.changed_secrets(existing_secrets, built_secrets)
 
       force_update_these.each do |force_update_this|
         built_secrets.select{|built_secret| built_secret[:name].match(force_update_this)}.each do |forced|
-          changed_secrets.push(forced)
+          @changed_secrets.push(forced)
         end
       end
-      changed_secrets.uniq!
+      @changed_secrets.uniq!
 
       OpenStax::Aws.logger.info("**** DRY RUN ****") if dry_run
 
-      if changed_secrets.empty?
+      if @changed_secrets.empty?
         OpenStax::Aws.logger.info("Secrets did not change")
         return false
       else
@@ -70,8 +70,8 @@ def update(specifications: nil, substitutions: nil, force_update_these: [])
 
         # Ship 'em
         if !dry_run
-          changed_secrets.each do |changed_secret|
-            client.put_parameter(changed_secret.merge(overwrite: true))
+          @changed_secrets.each do |changed_secret|
+            write_secret(changed_secret)
           end
         end
 
@@ -79,6 +79,28 @@ def update(specifications: nil, substitutions: nil, force_update_these: [])
       end
     end
 
+    def revert
+      if @changed_secrets.empty?
+        OpenStax::Aws.logger.info("Secrets did not change during the last update, so there is nothing to revert")
+      else
+        reverted_secrets = @changed_secrets.map do |changed_secret|
+          changed_secret.dup.except(:old_value).merge(value: changed_secret[:old_value])
+        end
+
+        OpenStax::Aws.logger.info("Reverting the following secrets in the AWS parameter store: #{reverted_secrets}")
+
+        if !dry_run
+          reverted_secrets.each do |reverted_secret|
+            write_secret(reverted_secret)
+          end
+        end
+      end
+    end
+
+    def write_secret(secret)
+      client.put_parameter(secret.except(:old_value).merge(overwrite: true))
+    end
+
     def self.changed_secrets(existing_secrets_hash, new_secrets_array)
       existing_secrets_hash = existing_secrets_hash.with_indifferent_access
       new_secrets_array = new_secrets_array.map(&:with_indifferent_access)
@@ -96,6 +118,9 @@ def self.changed_secrets(existing_secrets_hash, new_secrets_array)
                   new_secret[:description] == existing_secret[:description]
         end
 
+        # Keep the old value around in case we need to revert it
+        new_secrets[:old_value] = existing_secret[:value]
+
         array.push(new_secret)
       end
     end
diff --git a/lib/openstax/aws/stack.rb b/lib/openstax/aws/stack.rb
index 1676735..b33c49b 100644
--- a/lib/openstax/aws/stack.rb
+++ b/lib/openstax/aws/stack.rb
@@ -56,12 +56,16 @@ def template
         if absolute_template_path.present?
           OpenStax::Aws::Template.from_absolute_file_path(absolute_template_path)
         else
-          body = client.get_template({stack_name: name}).template_body
-          OpenStax::Aws::Template.from_body(body)
+          previous_template
         end
       end
     end
 
+    def previous_template
+      body = client.get_template({stack_name: name}).template_body
+      OpenStax::Aws::Template.from_body(body)
+    end
+
     def create(params: {}, wait: false)
       logger.info("**** DRY RUN ****") if dry_run
 
@@ -168,7 +172,9 @@ def create_change_set(options)
     def apply_change_set(params: {}, wait: false)
       logger.info("**** DRY RUN ****") if dry_run
 
+      # Save old template and parameters in case we need to revert
       @previous_parameters = deployed_parameters
+      @previous_template = previous_template
 
       logger.info("Updating #{name} stack...")
 
@@ -225,12 +231,14 @@ def apply_change_set(params: {}, wait: false)
     def revert_to_previous_change_set(wait: false)
       logger.info("**** DRY RUN ****") if dry_run
 
-      if @previous_parameters
+      if @previous_parameters && @previous_template
         logger.info("Reverting to previous change set...")
+        @template = @previous_template
         apply_change_set(params: @previous_parameters, wait: wait)
         @previous_parameters = nil
+        @previous_template = nil
       else
-        logger.info("There are no saved previous parameters for #{name} stack.")
+        logger.info("There are no saved previous parameters or template for #{name} stack.")
       end
     end