Learn how to choose between AWS Systems Manager Parameter Store and AWS Secrets Manager for managing sensitive data, by exploring their features, costs, and best use cases based on real-world insights.
I recently faced this exact dilemma while working on a project, and let me tell you it wasn’t an easy choice! Both AWS Parameter Store and AWS Secrets Manager offer solid solutions for managing sensitive data like API keys, credentials, and configuration settings. But the differences? That’s where the real challenge lies.
I had to dig deep into the features, costs, and use cases of each to make the best call for my project. And after some serious testing and consideration, I finally landed on the right tool.
If you’re in the same boat, here’s what I learned from my experience—and which service came out on top for me.
AWS provides two powerful solutions for centralized storage and management of application configuration data and secrets. These services offer simple API interfaces for seamless integration and are designed to enhance security and streamline operations. Let’s explore these essential tools:
Let’s explore some key questions that may help us decide which to pick.
These tools share some similarities, let’s categorize them:
Both Secrets Manager and Parameter Store have the capability to utilize AWS Key Management Service (KMS) for encrypting data. By integrating KMS, IAM policies can be established to govern which IAM users and roles are authorized to decrypt the encrypted values. While IAM policies can effectively restrict access to these values, the use of encryption provides an additional layer of security and is often mandated to meet compliance requirements.
Both services enable the storage of values under specific names or keys. They also support the use of key prefixes or any other prefix structure suited to the application’s needs. This feature is beneficial, as it allows the application deployment to reference different parameters or secrets based on the deployment environment.
Infrastructure as Code (IaC) tools like Terraform or CloudFormation are common nowadays to leverage speed, avoid errors, and even document infrastructure delivery. However, storing secrets directly within these tools is considered a poor security practice. Instead, secrets (e.g., database usernames and passwords) should be stored in Parameter Store or Secrets Manager. These services can then be referenced within the IaC tool, thus allowing the template to point to the secrets without exposing them in plaintext.
Both services support versioning of secret values. This allows you to view previous versions of your parameters or secrets in case you need them. You can choose to restore older versions of the parameters.
Parameter Store only allows one version of the parameter to be active at any given time.
Secrets Manager allows multiple versions to exist at the same time when you are performing a secret rotation using the staging labels.
Parameter Store: This service comes in two flavors:
1. Standard parameters:
2. Advanced parameters:
Secrets Manager: This is a paid offering. The cost for storing secrets is $0.40 per secret per month, while API interactions are billed at $0.05 for every 10,000 API calls.
Both offer great features, with Secrets Manager having some advantages out of the box, but many are achievable using Parameter Store, let’s explore these features:
Parameter Store:
Secrets Manager: It can store up to 10KB secret size.
Parameter Store: It has a limitation of storing 10,000 standard parameters per region per account.
Secrets Manager: It has a limitation of storing 500,000 secrets per region per account.
Parameter Store: We have to write our own function that updates credentials managed by Parameter Store and invoke it via a CloudWatch scheduled event or EventBridge.
Secrets Manager: It offers the ability to switch secrets at any given time and can be configured to regularly rotate depending on your requirements. It provides full key rotation integration with a few AWS services like RDS, Redshift, and DocumentDB. For other services, AWS allows you to write custom key rotation logic using an AWS Lambda function.
Parameter Store: Not supported out of the box.
Secrets Manager: Secrets can be accessed from another AWS account. It’s easier to share the secrets cross-accounts. This is useful if secrets are centrally managed from another AWS account or beneficial for use cases where a customer needs to share a particular secret with a partner.
Parameter Store: It doesn’t support cross-region replication out of the box.
Secrets Manager: It lets you easily replicate your secrets in multiple AWS Regions to support applications spread across those Regions as well as disaster recovery scenarios.
You want a cheaper option to store encrypted or unencrypted secrets and are not afraid of building features supported by default on Secrets Manager in exchange for cost savings.
You want to store only encrypted values and need a super easy way to manage the rotation of secrets. For instance, for organizations that have to be PCI compliant where the mandate is to rotate passwords every 90 days, AWS Secrets Manager makes that a very easy and seamless process.
| Functionality | Parameter Store | Secrets Manager | Description |
|---|---|---|---|
| Encryption at rest | ✅ | ✅ | AWS KMS |
| Encryption in transit | ✅ | ✅ | TLS |
| Strong IAM based ACLs | ✅ | ✅ | Access controls applied using IAM |
| Audit logs via CloudTrail | ✅ | ✅ | Captures API calls |
| Developer Experience | ✅ | ✅ | Delivers full dev experience features |
| Works on-premises | ✅ | ✅ | Using AWS API endpoints |
| Parameter Versioning | ✅ | ✅ | Previous versions are saved |
| Password rotation | ✅ | Automatically rotates passwords | |
| VPC endpoint | ✅ | ✅ | Private connectivity (PrivateLink) |
| Size limit | ✅ | ✅ | Secret Manager = 64KB & Parameter Store = 4-8KBs |
| TTL | ✅ | Time to Live for params or secrets | |
| Cross region support | ✅ | Secrets can be replicated across regions | |
| CloudFormation support | ✅ | ✅ | Can be managed using this tool |
| Terraform support | ✅ | ✅ | Can be managed using this tool |
| Tagging | ✅ | ✅ | Allow to group secrets/parameter |
| Secret hierarchy | ✅ | Path structure, ex; /app/db/pwd | |
| Compliance Standards | SOC, PCI, FedRAMP, HIPA, others.... | HIPPA, PCI, ISO, AICPA, FedRAMP, IRAP, OSPAR… | Compliance standards supported by default. |
| Pricing | free on standard parameters | $0.4 per secret and $0.05 per 10k API calls | May vary, consult pricing pages. |
Both are great solutions for storing confidential secrets, license codes, application settings, environmental configurations for applications, IaC configuration secrets and more.
Secrets Manager gets ahead due to its built-in features, ease of use, and by-default encryption. However, it is completely achievable to build these features within Parameter Store by using a mix of AWS services and dedicating some time for coding, maintenance and troubleshooting.At the end of the day, the choice between these services really depends on your time to delivery, out-of-the-box compliance needs, and project budget to make a decision between the two.
Francisco Maestra is an AWS Solutions Architect with a passion for demystifying the complexities of cloud technology. His journey began with no prior knowledge of the AWS Cloud, but through persistence, studying, hands-on learning, certifications and a deep curiosity to understand how technology could transform businesses. He now enjoys helping organizations leverage the power of AWS to drive innovation, resiliency, cost-efficiency, security and performance.
View Francisco's articles
Explore how AI-powered solutions are redefining database migrations as missed deadlines, downtime, and lost revenue expose the failures of traditional approaches.
Learn how AWS technologies help healthcare providers, payers, and healthtech organizations enhance patient care, streamline operations, and secure data with advanced cloud solutions.
Francisco Maestra