AWS Secrets Manager and Systems Manager Parameter Store are both AWS services for storing configuration data and secrets, but they serve different purposes: Secrets Manager is purpose-built for managing sensitive credentials with automatic rotation, encryption, and fine-grained access control, while Parameter Store is a general-purpose configuration store that can handle both secrets and non-sensitive parameters at a lower cost with simpler features.
Key Takeaways
Secrets Manager costs $0.40 per secret per month plus API call charges, while Parameter Store standard parameters are free and advanced parameters cost $0.05 per month. Secrets Manager provides automatic secret rotation, cross-region replication, and generates random secrets, features that Parameter Store lacks. Parameter Store offers higher throughput (10,000 TPS vs 5,000 TPS) and stores configuration data alongside secrets in a hierarchical structure. Secrets Manager encrypts all secrets by default using KMS, while Parameter Store supports both encrypted (SecureString) and plaintext parameters. Choose Secrets Manager for database credentials and API keys requiring rotation, Parameter Store for application configuration, feature flags, and cost-sensitive deployments with simple secrets.
What They Are
AWS Secrets Manager
Secrets Manager is a dedicated secrets management service designed specifically for storing and rotating sensitive information like database credentials, API keys, and OAuth tokens. It focuses on the complete lifecycle of secrets—creation, rotation, access control, and auditing.
The service includes built-in rotation capabilities for common databases like RDS, DocumentDB, and Redshift. You can also implement custom rotation logic using Lambda functions. Secrets Manager handles the complexity of updating credentials without causing application downtime.
All secrets are encrypted at rest using AWS KMS keys. The service integrates tightly with AWS services like RDS, which can create and rotate database credentials automatically without manual intervention.
Systems Manager Parameter Store
Parameter Store is part of AWS Systems Manager and serves as a general-purpose configuration store. It holds both secrets and non-sensitive data like configuration values, AMI IDs, license codes, and feature flags.
The service organizes parameters in a hierarchical structure using paths like /production/database/endpoint or /dev/api/timeout. This structure makes it easy to retrieve related parameters and manage permissions at different levels.
Parameter Store supports three parameter types: String for plaintext data, StringList for comma-separated values, and SecureString for encrypted secrets using KMS. You choose encryption based on sensitivity rather than having all values encrypted by default.
Pricing Comparison
Secrets Manager Costs
Secrets Manager charges $0.40 per secret per month, prorated hourly. A secret stored for 15 days costs approximately $0.20. If you store 100 database credentials, the monthly cost is $40 just for storage.
API calls cost $0.05 per 10,000 calls. Applications frequently retrieving secrets can accumulate significant API charges. A service making 1 million requests per month pays $5 in API fees.
There’s no free tier. Even a single secret costs $0.40 monthly. For small deployments with few secrets, this adds up quickly compared to free alternatives.
Parameter Store Costs
Standard parameters are completely free. You can store up to 10,000 parameters at no charge. Standard parameters support up to 4 KB of data, standard throughput (40 TPS per region), and don’t support parameter policies.
Advanced parameters cost $0.05 per parameter per month. These support up to 8 KB of data, higher throughput (1,000 TPS initially, 10,000 with limits increase), and parameter policies for expiration and notifications. Storing 100 advanced parameters costs $5 monthly.
API calls to Parameter Store are free regardless of volume. Applications can retrieve parameters millions of times without incurring API charges, making it cost-effective for high-traffic scenarios.
Cost Comparison Example
For 10 database credentials retrieved 100,000 times monthly: Secrets Manager costs $4.50 ($4 storage + $0.50 API calls). Parameter Store with advanced parameters costs $0.50 (storage only, free API calls). Parameter Store with standard parameters costs nothing.
The cost difference becomes substantial at scale. One hundred secrets cost $40/month in Secrets Manager versus $5/month for Parameter Store advanced parameters or free for standard parameters.
Secret Rotation
Secrets Manager Rotation
Secrets Manager provides automatic rotation out of the box. For supported databases like RDS MySQL, PostgreSQL, Oracle, and SQL Server, you enable rotation with a few clicks. Secrets Manager creates a Lambda function that handles the entire rotation process.
The rotation process follows AWS best practices: create new credentials, update the secret, verify the new credentials work, then mark them as current. Applications automatically get new credentials on the next retrieval without code changes.
You can configure rotation schedules from every few days to once a year. Secrets Manager sends CloudWatch Events when rotation succeeds or fails, enabling monitoring and alerting.
For custom secrets like third-party API keys, you write Lambda functions implementing rotation logic. Secrets Manager provides a rotation template and handles scheduling, but you implement the actual credential update with the external service.
Parameter Store Rotation
Parameter Store has no built-in rotation capability. If you need to rotate secrets stored in Parameter Store, you must build the entire system yourself.
You’d create Lambda functions triggered by CloudWatch Events, implement rotation logic, update parameters, and handle failures. This requires significant development and maintenance effort.
Parameter policies provide expiration notifications. You can configure a parameter to send CloudWatch Events before it expires, triggering manual or automated rotation workflows. However, this is just notification—the actual rotation logic is entirely your responsibility.
Features and Capabilities
Secrets Manager Features
Secrets Manager can generate random passwords and secrets. When creating a database credential, it generates complex passwords meeting your requirements without you having to create them manually.
Cross-region replication automatically copies secrets to multiple regions. This ensures availability during regional failures and simplifies multi-region deployments. Replicated secrets stay synchronized—rotating in one region updates all replicas.
Secret versioning maintains previous versions automatically. You can retrieve older versions by version ID or staging labels. Applications can test new credentials before promoting them to production.
Resource-based policies attach directly to secrets, allowing cross-account access without modifying IAM roles in other accounts. This simplifies secrets sharing across organizational boundaries.
Parameter Store Features
Hierarchical organization lets you structure parameters logically. You can retrieve all parameters under a path with a single API call, useful for loading application configuration at startup.
Parameter Store integrates with AWS services like EC2, ECS, Lambda, and CloudFormation. You can reference parameters directly in CloudFormation templates or pass them to containers as environment variables.
Parameter policies (advanced parameters only) enable expiration dates and change notifications. You can set parameters to expire after a certain time, triggering alerts to rotate or update them.
Parameter Store supports parameter labels for versioning. You can create labels pointing to specific versions, though this is less sophisticated than Secrets Manager’s staging label system.
Public parameters provide access to AWS-published data like AMI IDs and service endpoints. You can query the latest Amazon Linux AMI without hardcoding IDs.
Encryption
Secrets Manager Encryption
All secrets are encrypted at rest using AWS KMS. You cannot store unencrypted secrets in Secrets Manager. This enforces security best practices but means you must use KMS encryption for everything.
You choose between AWS managed keys (free) or customer managed keys (KMS charges apply). Customer managed keys provide more control over key policies, rotation, and auditing.
Secrets are encrypted in transit using TLS. The service never exposes secrets in plaintext outside secure API calls.
Parameter Store Encryption
Parameter Store offers three parameter types. String and StringList types store data in plaintext without encryption. Use these for non-sensitive configuration like region names or feature flags.
SecureString parameters encrypt data using KMS. You specify the KMS key when creating the parameter. This gives you flexibility—encrypt secrets while keeping non-sensitive data unencrypted to avoid unnecessary KMS costs.
You can use AWS managed keys or customer managed keys for SecureString encryption. Each SecureString retrieval incurs a KMS API call, contributing to KMS costs and potential throttling at high volumes.
Performance and Limits
Secrets Manager Limits
Secrets Manager supports up to 5,000 API requests per second per account per region. For most applications, this is sufficient, but high-traffic services might hit throttling limits.
Each secret can store up to 65,536 bytes (64 KB) of data. You can store complex JSON structures containing multiple credentials in a single secret.
You can store up to 500,000 secrets per region per account. This limit is rarely a concern for typical workloads.
Parameter Store Limits
Standard parameters support 40 requests per second per region. This is much lower than Secrets Manager and can cause throttling for high-traffic applications.
Advanced parameters support higher throughput: 1,000 TPS initially, increasable to 10,000 TPS through service limit requests. This makes Parameter Store suitable for high-volume scenarios when using advanced parameters.
Standard parameters hold up to 4 KB of data, advanced parameters up to 8 KB. For larger configuration data, you might need to split across multiple parameters or use alternative storage like S3.
You can store up to 10,000 parameters per account per region. This includes all parameter types. Organizations with extensive configuration needs might hit this limit and need to request increases.
Integration with AWS Services
Secrets Manager Integration
RDS and Aurora integrate directly with Secrets Manager. You can create a database with credentials stored and rotated by Secrets Manager automatically. The database and secret are linked, simplifying credential management.
ECS and EKS can inject secrets as environment variables or mount them as files. Applications retrieve secrets without calling AWS APIs directly, reducing code complexity.
CloudFormation supports dynamic references to Secrets Manager, letting you use secrets in templates without exposing them in plaintext.
Parameter Store Integration
Parameter Store integrates with more AWS services due to its broader purpose. EC2 instances can reference parameters in user data scripts. Lambda functions read parameters at startup or runtime.
CloudFormation supports dynamic references and AWS::SSM::Parameter resources. You can reference parameters without including actual values in templates.
Systems Manager automation documents and Run Command can retrieve parameters for executing tasks across fleets of instances.
AppConfig integrates with Parameter Store for feature flag and configuration management with deployment strategies like gradual rollouts and validation.
Access Control
Secrets Manager Access Control
Secrets Manager supports both IAM policies and resource-based policies. IAM policies control what users and roles can do with secrets. Resource-based policies attach to individual secrets, defining who can access them.
Resource-based policies simplify cross-account access. You attach a policy to a secret granting another account permission without modifying IAM roles in that account.
You can restrict access to specific secret versions or rotation operations. Fine-grained permissions let you limit who can rotate secrets versus who can only read them.
Parameter Store Access Control
Parameter Store uses IAM policies exclusively. You grant permissions using IAM roles and policies based on parameter names or paths.
The hierarchical structure enables path-based permissions. You can grant access to all parameters under /production/* while denying access to /production/database/*, creating flexible security boundaries.
Tags on parameters enable attribute-based access control. You can create IAM policies that grant access based on parameter tags rather than explicit parameter names.
Monitoring and Auditing
Both services integrate with CloudTrail for auditing API calls. You can see who accessed which secrets or parameters and when.
Secrets Manager provides CloudWatch Events for rotation success, rotation failure, and secret deletion. You can build alerting and automation around secret lifecycle events.
Parameter Store generates CloudWatch Events for parameter changes and expiration (advanced parameters). You can trigger Lambda functions or notifications when parameters are updated.
Both services publish CloudWatch metrics. Secrets Manager tracks API call counts and errors. Parameter Store tracks similar metrics and supports custom dashboards for monitoring parameter access patterns.
When to Use Secrets Manager
Use Secrets Manager for database credentials that require automatic rotation. The built-in RDS integration and rotation capabilities save significant development effort and reduce security risk from stale credentials.
Choose Secrets Manager for API keys and OAuth tokens from third-party services when you need rotation. While you’ll implement custom rotation logic, the framework and scheduling are handled for you.
Secrets Manager makes sense when you need cross-region replication for disaster recovery or multi-region deployments. The automatic synchronization simplifies architecture.
<