Secrets Manager vs Parameter Store: Which Should You Use?

Key Takeaway

Choose Secrets Manager if you need automatic rotation, choose Parameter Store for free simple storage. Secrets Manager excels at RDS credential auto-rotation and cross-region replication, while Parameter Store is optimized for free tier usage and configuration value storage.

Feature	Secrets Manager	Parameter Store
Primary Use	Full credential lifecycle management	Configuration values + simple secrets
Auto Rotation	✅ Built-in (RDS, Redshift, etc.)	❌ Manual implementation required
Cost	$0.40/secret/month + API calls	Free (Standard), $0.05/Advanced
Cross-Region Replication	✅ Built-in	❌ Manual implementation required
Max Size	64KB	4KB (Standard), 8KB (Advanced)

---

When Should You Use Each Service?

When to Choose Secrets Manager

Secrets Manager Use Cases:
├── RDS/Aurora credential auto-rotation
├── Redshift, DocumentDB credential management
├── Cross-region secret replication for DR
├── Periodic API key rotation
├── Compliance requirements (HIPAA, PCI-DSS)
└── Secret versioning and audit trails

When to Choose Parameter Store

Parameter Store Use Cases:
├── Environment variables and config values (free)
├── Static API keys that don't need rotation
├── CloudFormation/CDK parameter sharing
├── Hierarchical configuration management (/app/prod/db-host)
├── Cost minimization is priority
└── Mixed storage of non-sensitive data

Selection Flowchart

Need to store secrets/config values?
│
├── Need automatic rotation?
│   └── YES → Secrets Manager
│
├── RDS/Redshift credentials?
│   └── YES → Secrets Manager (native integration)
│
├── Need cross-region replication?
│   └── YES → Secrets Manager
│
├── Is cost the primary concern?
│   └── YES → Parameter Store (free tier)
│
└── Want to manage config values and secrets together?
    └── YES → Parameter Store (hierarchical structure)

---

Detailed Feature Comparison

Automatic Rotation

Feature	Secrets Manager	Parameter Store
Built-in Rotation	✅ AWS-managed (RDS, Redshift, etc.)	❌ Not supported
Custom Rotation	✅ Lambda function integration	Manual implementation required
Rotation Schedule	1 day to 365 days configurable	N/A

Secrets Manager Auto-Rotation Flow:
1. Set rotation schedule (e.g., every 30 days)
2. AWS automatically invokes Lambda function
3. Generate new credentials
4. Apply new credentials to database
5. Application automatically uses new credentials

Cost Structure

Item	Secrets Manager	Parameter Store (Standard)	Parameter Store (Advanced)
Base Fee	$0.40/secret/month	Free	$0.05/parameter/month
API Requests	$0.05/10,000 calls	Free	$0.05/10,000 calls
Max Size	64KB	4KB	8KB
Max Count	Unlimited	10,000	100,000

Cost Calculation Example (100 secrets, 1M API calls/month):

Secrets Manager:
├── Secrets: 100 × $0.40 = $40
├── API: 100 × $0.05 = $5
└── Total: $45/month

Parameter Store (Standard):
├── Parameters: Free
├── API: Free
└── Total: $0/month

Parameter Store (Advanced):
├── Parameters: 100 × $0.05 = $5
├── API: 100 × $0.05 = $5
└── Total: $10/month

Data Size and Count

Item	Secrets Manager	Parameter Store
Max Value Size	64KB	4KB / 8KB (Advanced)
Version Control	✅ (automatic)	✅ (Advanced only)
Labeling	✅ (AWSCURRENT, AWSPREVIOUS)	❌

Service Integrations

Integration	Secrets Manager	Parameter Store
RDS Auto-Rotation	✅ Native	❌
Redshift	✅ Native	❌
DocumentDB	✅ Native	❌
ECS/EKS	✅	✅
Lambda	✅	✅
CloudFormation	✅	✅
CodeBuild/CodePipeline	✅	✅

---

Encryption

KMS Integration

Encryption Methods:

Secrets Manager:
├── Default: AWS managed key (aws/secretsmanager)
├── Optional: Customer managed CMK
└── All secrets automatically encrypted

Parameter Store:
├── String: No encryption (plaintext)
├── StringList: No encryption (plaintext)
└── SecureString: KMS encryption (optional)
    ├── Default: AWS managed key (aws/ssm)
    └── Optional: Customer managed CMK

---

Practical Usage Examples

Secrets Manager: RDS Credential Management

# Python (boto3) Example
import boto3
import json

client = boto3.client('secretsmanager')

# Retrieve secret
response = client.get_secret_value(SecretId='prod/myapp/rds')
secret = json.loads(response['SecretString'])

# Database connection
db_host = secret['host']
db_user = secret['username']
db_pass = secret['password']

// Secret structure stored in Secrets Manager
{
  "username": "admin",
  "password": "auto-rotated-password-xyz",
  "engine": "mysql",
  "host": "mydb.cluster-xxx.us-east-1.rds.amazonaws.com",
  "port": 3306,
  "dbname": "myapp"
}

Parameter Store: Hierarchical Configuration Management

Parameter Store Hierarchy:
/myapp/
├── /prod/
│   ├── /db-host          → "prod-db.example.com"
│   ├── /db-port          → "3306"
│   ├── /api-endpoint     → "https://api.example.com"
│   └── /db-password      → (SecureString) "encrypted..."
└── /dev/
    ├── /db-host          → "dev-db.example.com"
    ├── /db-port          → "3306"
    └── /api-endpoint     → "https://dev-api.example.com"

# Python Example
import boto3

ssm = boto3.client('ssm')

# Single parameter retrieval
response = ssm.get_parameter(
    Name='/myapp/prod/db-host',
    WithDecryption=True  # Decrypt SecureString
)
db_host = response['Parameter']['Value']

# Path-based multi-parameter retrieval
response = ssm.get_parameters_by_path(
    Path='/myapp/prod/',
    WithDecryption=True
)
for param in response['Parameters']:
    print(f"{param['Name']}: {param['Value']}")

---

Cross-Region Replication

Secrets Manager Replication

Secrets Manager Replication Setup:
1. Create primary secret (us-east-1)
2. Add replica region (eu-west-1)
3. AWS automatically synchronizes

Features:
├── Values can only be modified in primary region
├── Replicas are read-only
├── Auto-replicates on rotation
└── Suitable for DR scenarios

Parameter Store (Manual Implementation Required)

Parameter Store Cross-Region:
├── No native AWS replication support
├── Can implement with EventBridge + Lambda
└── Can deploy with CloudFormation StackSets

---

ECS/Lambda Integration

ECS Task Definition

// Secrets Manager Integration
{
  "containerDefinitions": [{
    "secrets": [{
      "name": "DB_PASSWORD",
      "valueFrom": "arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/db-password"
    }]
  }]
}

// Parameter Store Integration
{
  "containerDefinitions": [{
    "secrets": [{
      "name": "DB_HOST",
      "valueFrom": "arn:aws:ssm:us-east-1:123456789012:parameter/myapp/prod/db-host"
    }]
  }]
}

Lambda Environment Variables

Lambda Secret Reference Methods:
├── Store directly in env vars (❌ Not recommended)
├── Use Lambda Extensions (caching supported)
└── Direct API call in code (implement caching recommended)

---

SAA-C03 Exam Focus Points

Common Question Types

Scenario	Answer
"RDS credential automatic rotation"	Secrets Manager
"Free configuration storage"	Parameter Store (Standard)
"Cross-region secret replication"	Secrets Manager
"Hierarchical per-environment config management"	Parameter Store
"Automatic API key rotation every 30 days"	Secrets Manager
"Value sharing between CloudFormation stacks"	Parameter Store
"Cost minimization + simple password storage"	Parameter Store (SecureString)

Common Traps

❌ Parameter Store also supports automatic rotation
   → Must implement manually with Lambda

❌ Secrets Manager has a free tier
   → Always paid ($0.40/secret/month)

❌ All Parameter Store types are encrypted
   → Only SecureString is encrypted, String/StringList are plaintext

❌ Both services support cross-region replication
   → Only Secrets Manager has native support

❌ Secrets Manager is suitable for config value storage
   → Not cost-effective, Parameter Store recommended

---

Frequently Asked Questions

Q: Can I use both services together?

Yes, many organizations use both services together.

• Secrets Manager: Database credentials, API keys needing auto-rotation
• Parameter Store: Environment config, non-sensitive data, cost minimization

Q: How can I reduce Secrets Manager costs?

1. Use caching: Leverage SDK-provided caching libraries
2. Minimize API calls: Retrieve once at application startup
3. Consolidate secrets: Store multiple values in a single JSON secret

Q: Can I rotate Parameter Store SecureString?

Manual implementation is required. Use EventBridge schedule + Lambda function to periodically update values. AWS-managed rotation like Secrets Manager is not provided.

Q: Which service is more secure?

Both are secure. Both services support KMS encryption, IAM policies, and VPC Endpoints. The difference is Secrets Manager is more specialized for enterprise security features like rotation and audit trails.

Q: How do I migrate between services?

Parameter Store → Secrets Manager:
1. Create new secret in Secrets Manager
2. Modify application code (change API calls)
3. Delete Parameter Store parameter after testing

Secrets Manager → Parameter Store:
1. Create SecureString parameter in Parameter Store
2. Modify application code
3. Implement rotation logic manually (if needed)
4. Delete secret after testing

---

Summary

Secrets Manager and Parameter Store each have their strengths:

Criteria	Choice
Auto rotation	Secrets Manager
Free usage	Parameter Store
RDS integration	Secrets Manager
Config value management	Parameter Store
Cross-region	Secrets Manager

For exams, remember automatic rotation = Secrets Manager, free/config values = Parameter Store to solve most questions.

---

Related Posts

• KMS Key Management
• IAM Roles vs Users
• VPC Endpoints: Interface vs Gateway

---

References

• AWS Secrets Manager User Guide
• AWS Systems Manager Parameter Store
• Secrets Manager vs Parameter Store (Tutorials Dojo)