AWS Secrets Manager vs Parameter Store

What this problem means

You need to store secrets—API keys, database passwords, certificates—in AWS. Two main options: Secrets Manager and Parameter Store (Systems Manager). Both work, but they have different strengths.

Why this matters

- Security: Secrets in code or config files get committed and leaked.

- Rotation: Some secrets need automatic rotation (e.g., RDS passwords).

- Cost: Secrets Manager costs more per secret. Parameter Store has a free tier.

Real-world example

A startup stored database credentials in environment variables. A developer committed a config file with the password to a public repo. The key was scraped. They migrated to Secrets Manager and set up rotation. Parameter Store would have worked too—but they needed RDS credential rotation.

How to choose

Secrets Manager when you need:

- Automatic rotation (RDS, Redshift, DocumentDB)

- Cross-account access

- Audit trail (CloudTrail integration)

- Higher cost is acceptable ($0.40/secret/month)

Parameter Store when you need:

- Simple key-value storage

- Free tier (standard params)

- Integration with Lambda, ECS, etc.

- No rotation required

Tools and configurations

- Secrets Manager: Automatic rotation, cross-account, audit.

- Parameter Store: Free tier, simple, Lambda/ECS integration.

- Both: Support IAM policies, encryption, versioning.

Common mistakes

- Storing secrets in code or config files.

- Using Parameter Store for secrets that need rotation (use Secrets Manager).

- Overpaying for Secrets Manager when Parameter Store would work.

Quick checklist

- [ ] Never store secrets in code or config files

- [ ] Use Secrets Manager for RDS/Redshift credentials (rotation)

- [ ] Use Parameter Store for simple key-value (free tier)

- [ ] Restrict access with IAM

- [ ] Enable encryption