AWS Parameter Store vs Secrets Manager: Detailed Comparison
When developing applications, it is often necessary to create connections between different systems. This could be to a database, to retrieve a user's profile, or to an API that has access to certain metadata. When doing so, your application will usually need to authenticate itself. How does your application access the necessary credentials to achieve this? Storing credentials directly into code or using unencrypted configuration files is poor practice. Secure credential management is therefore important to proper applications development.
In this article, we will explore two options that are available for credential management on the popular Amazon Web Services platform: AWS Systems Manager Parameter Store and AWS Secrets Manager. By reading further, you will be able to determine which of these is the better option, based on your requirements.
Credential management
Before comparing these services, it’s worthwhile asking yourself some questions about the current credential management method used in your organization:
- what credentials does my organization use?
- what applications need access to credentials?
- where are my applications hosted?
- where are credentials stored?
- are they encrypted and is access restricted?
- who creates credentials?
- who accesses credentials?
- how do I know which credentials to use?
- do credentials get updated/rotated?
These questions do not change despite the size of an organization, but the answers to them very likely will. For example, a start-up will have different ways of doing things when compared to a larger or more established business. It’s worth noting that credential management is more than just storing credentials securely – access controls and credential lifecycle management also play an important role..
Service comparison
Helpfully, AWS provides descriptions and use cases for Secrets Manager and Parameter Store that allow us to choose between them. By looking at their available API operations, we can also get an idea of their suitability to different use cases. In the next section, we will provide some major comparisons between the tools, but to get started, we have provided a quick summary table below.
| AWS Systems Manager Parameter Store | AWS Secrets Manager | |
|---|---|---|
| Introduced | 2016 | 2018 |
| AWS use case description | Centralized place to manage configuration data | Rotate, manage and retrieve secrets throughout their lifecycle |
| API operations |
|
|
| API Quotas | Default throughput: 40 requests per second
Higher throughput: 100 requests per second Possible to request 1,000 requests per second |
50 requests per second
5,000 requests per second for GetSecretValue and DescribeSecret |
| Pricing dimensions | Standard tier
Free for up to 10,000 parameters for values up to 4 KB. Advanced tier More than 10,000 parameters, values up to 8 KB and parameter policies. Storage $0.05 per advanced parameter per month. API operations $0.05 per 10,000 API calls. Intelligent-Tiering Standard or Advanced tier used automatically |
No free tier, 30-day trial period
Storage $0.40 per secret per month, up to 64 KB API operations $0.05 per 10,000 API calls. |
| Storage limits | Standard
10,000 parameters Advanced 100,000 parameters |
500,000 secrets |
| Monitoring | AWS CloudTrail
Amazon CloudWatch Amazon EventBridge Amazon Simple Notification Service (Amazon SNS) |
AWS CloudTrail
Amazon CloudWatch |
| Tagging | Supported | Supported |
| VPC Endpoint | Supported | Supported |
| Cross-account access | Not supported | Supported |
| Disaster Recovery | No | By default there is a recovery period of 30 days for a deleted secret. |
| CloudFormation | Supported, but cannot create SecureString. | Supported |
|
Platform
|
Provisioning Automation |
Security Management |
Cost Management |
Regulatory Compliance |
Powered by Artificial Intelligence |
Native Hybrid Cloud Support
|
|---|---|---|---|---|---|---|
|
AWS Native Tools |
✔
|
✔
|
✔
|
|||
|
CoreStack
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
Parameter Store vs Secrets Manager
Parameter Store is more than just a secrets store and is actually a feature of AWS Systems Manager, for centralizing configuration data. A stored parameter could be anything: a URL, a password or a license key.
Secrets Manager is designed specifically for the management of secrets and boasts features including automated secret rotation and random password generation.
API operations
The benefit of these services is that they both provide a programmatic way to manage credentials via API. AWS also provides SDKs in multiple programming languages. We will now look at some basic API operations for each service, where we will use the AWS SDK for Python, Boto3.
Creating credentials
We can create a Parameter Store SecureString parameter via the PutParameter API operation:
import boto3
session = boto3.session.Session(profile_name='parameter_store')
ssm_client = session.client('ssm',region_name='<region>')
response = ssm_client.put_parameter(
Name='/Dev/API_KEY_EX1',
Description='Example SecureString Parameter for Dev',
Value='password',
Type='SecureString', #'String'|'StringList'|'SecureString',
# KeyId='string',
# Overwrite=True|False,
# AllowedPattern='string',
# Tags=[
# {
# 'Key': 'string',
# 'Value': 'string'
# },
# ],
Tier='Intelligent-Tiering' #'Standard'|'Advanced'|'Intelligent-Tiering',
# Policies='string',
# DataType='string'
)
The Name, Value and Type are required and the Description is recommended to help manage credentials. If the Tier is omitted, it will be determined by the default tier configuration, which can be set via the AWS Management Console or UpdateServiceSetting API operation.
By specifying Tier='Intelligent-Tiering', the service determines whether the Standard or Advanced tier should be used. For this parameter, the Standard tier was used because we did not specify any advanced options. If we had included a Policies option, then the Advanced tier would have been used because this is only available for Advanced tier parameters. Parameter policies can be used to:
- specify when a parameter expires (Expiration)
- receive an expiration notification (ExpirationNotification)
- or a no changed notification (NoChangeNotification)
These notifications could also be used to trigger actions via AWS Lambda.
The KeyId option specifies the Key Management Service (KMS) ID used for encryption. When leaving this blank, the default KMS key (aws/ssm) is used to encrypt the Value=’password’. You will find this KMS Key under the AWS managed keys within the AWS Key Management Service (KMS). The other Types, String and StringList, should not be used for storing credentials as they will not be encrypted.
From the AWS Management Console, we can see the newly created parameter.
The newly created parameter is visible in the AWS Management Console.
To retrieve the credential later, we can use the GetParameter API operation and specify the name. By using WithDecryption=True the ‘Value’ is decrypted and can now be used by our application:
response = ssm_client.get_parameter(
Name='/Dev/API_KEY_EX1',
WithDecryption=True
)
print(response)
# {'Parameter': {'Name': '/Dev/API_KEY_EX1', 'Type': 'SecureString', 'Value': 'password', 'Version': 1, 'LastModifiedDate': datetime.datetime(2022, 5, 14, 8, 1, 24, 799000, tzinfo=tzlocal()), 'ARN': 'arn:aws:ssm:::parameter/Dev/API_KEY_EX1', 'DataType': 'text'}, 'ResponseMetadata': {'RequestId': '9442d661-6e87-4c3c-a9d8-2347cdc54959', 'HTTPStatusCode': 200, 'HTTPHeaders': {'server': 'Server', 'date': 'Sat, 14 May 2022 07:16:25 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '217', 'connection': 'keep-alive', 'x-amzn-requestid': '9442d661-6e87-4c3c-a9d8-2347cdc54959'}, 'RetryAttempts': 0}}
Secrets Manager has similar API operations and we can use Boto3 to create a secret using the CreateSecret API operation:
import boto3
session = boto3.session.Session(profile_name='secrets_manager')
sm_client = session.client('secretsmanager',region_name='<region>')
response = sm_client.create_secret(
Name='/Dev/API_KEY_EX1',
# ClientRequestToken='string',
Description='Example Secret Manager for Dev',
# KmsKeyId='string',
# SecretBinary=b'bytes',
SecretString='password',
# Tags=[
# {
# 'Key': 'string',
# 'Value': 'string'
# },
# ],
# AddReplicaRegions=[
# {
# 'Region': 'string',
# 'KmsKeyId': 'string'
# },
# ],
# ForceOverwriteReplicaSecret=True|False
)
print(response)
# {'ARN': 'arn:aws:secretsmanager:::secret:/Dev/API_KEY_EX1-02ArIZ', 'Name': '/Dev/API_KEY_EX1', 'VersionId': 'b4562e55-1a51-46e1-9ec0-61a909c1c650', 'ResponseMetadata': {'RequestId': '5d1de4c2-184b-4ccb-9c62-60216495f6b7', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '5d1de4c2-184b-4ccb-9c62-60216495f6b7', 'content-type': 'application/x-amz-json-1.1', 'content-length': '163', 'date': 'Sat, 14 May 2022 10:40:27 GMT'}, 'RetryAttempts': 0}}
The Name is required and either SecretString or SecretBinary must also be given a value. By using the correct JSON structure for the SecretString, credentials for specific AWS database types can be stored and, if required, automatically rotated. SecretBinary is used for storing binary data, e.g. file content and it cannot be added via the AWS Management Console. Instead, it must be added via either the CreateSecret or PutSecretValue API operation.
In this instance, we have used the same Name as with our previous Parameter Store example. The KmsKeyId was not specified, so the default KMS key (aws/secretsmanager) is used to encrypt the SecretString.
When creating a secret, you may also include a list of regions where the secret will be subsequently replicated.
From the AWS Management Console, we can see the newly created secret.
The newly created secret is visible in the AWS Management Console.
To retrieve the credential, we can use the GetSecretValue API operation and specify the name. By default Secrets Manager returns the AWSCURRENT version stage. Secrets Manager automatically creates a new version stage if the secret value is updated or rotated.
response = sm_client.get_secret_value(
SecretId='/Dev/API_KEY_EX1',
# VersionId='string',
# VersionStage='string'
)
print(response)
# {'ARN': 'arn:aws:secretsmanager:::secret:/Dev/API_KEY_EX1-02ArIZ', 'Name': '/Dev/API_KEY_EX1', 'VersionId': 'b4562e55-1a51-46e1-9ec0-61a909c1c650', 'SecretString': 'password', 'VersionStages': ['AWSCURRENT'], 'CreatedDate': datetime.datetime(2022, 5, 14, 11, 40, 27, 338000, tzinfo=tzlocal()), 'ResponseMetadata': {'RequestId': 'd10996f3-4b8b-4a7a-92f1-b8a3b83f2294', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'd10996f3-4b8b-4a7a-92f1-b8a3b83f2294', 'content-type': 'application/x-amz-json-1.1', 'content-length': '251', 'date': 'Sat, 14 May 2022 10:51:40 GMT'}, 'RetryAttempts': 0}}
Retrieving credentials
Our previous examples showed that retrieving credentials is similar for both services. A request is made to the respective API operation, using the credential name.
Within your application an API call would be made to retrieve the required credential.
Naming conventions
In a Parameter Store name, a forward slash (/) delineates a hierarchy. This is recommended to help organize and manage parameters. All parameters within a hierarchy can be retrieved by using the GetParametersByPath API operation. For example, to retrieve all parameters stored under the /Dev/ path:
response = ssm_client.get_parameters_by_path(
Path='/Dev/',
Recursive=True, #True|False,
# ParameterFilters=[
# {
# 'Key': 'string',
# 'Option': 'string',
# 'Values': [
# 'string',
# ]
# },
# ],
# WithDecryption=True|False,
# MaxResults=123,
# NextToken='string'
)
print(response)
# {'Parameters': [{'Name': '/Dev/API_KEY_EX1', 'Type': 'SecureString', 'Value': 'AQICAHg0gPeXRzVifKkerKqSFvSlcqnGFRgCYMpv6mWGzmrQegFVqWm32yxnJOcOn9opokrqAAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMJGqEzMxSKA2SwO2bAgEQgCMbCmxDpCQjA9s+V2ZfNQbjeN5Ul0TY2BNu/QxcAhneo7LBWQ==', 'Version': 1, 'LastModifiedDate': datetime.datetime(2022, 5, 14, 8, 1, 24, 799000, tzinfo=tzlocal()), 'ARN': 'arn:aws:ssm:::parameter/Dev/API_KEY_EX1', 'DataType': 'text'}], 'ResponseMetadata': {'RequestId': '648a9726-851d-4063-9d37-4c8f7235c50d', 'HTTPStatusCode': 200, 'HTTPHeaders': {'server': 'Server', 'date': 'Sat, 14 May 2022 08:14:13 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '428', 'connection': 'keep-alive', 'x-amzn-requestid': '648a9726-851d-4063-9d37-4c8f7235c50d'}, 'RetryAttempts': 0}}
Hierarchies can also be used to restrict accessAWS Identity and Access Management (IAM) policies. Both Parameter Store and Secrets Manager support identity-based policies. These are policies that restrict access by attaching to an IAM user, group or role and reference the parameter ARN or secret ARN.
The ARN of the parameter created above is:
arn:aws:ssm:::parameter/Dev/API_KEY_EX1
An IAM policy could restrict access to all /Dev/ parameters, like this:
arn:aws:ssm:::parameter/Dev/*
For more information see the AWS guidance.
In Secrets Manager, the name can also contain a forward slash to delineate a hierarchy. The created ARN is also based on the name:
arn:aws:secretsmanager:::secret:/Dev/API_KEY_EX1-02ArIZ
However, please note that Secrets Manager automatically appends a hyphen with six characters to the ARN. Therefore, the name should not end with a hyphen followed by six characters, as this may cause issues when searching with a partial ARN.
SimilarIy, an IAM policy could also restrict access to all /Dev/ secrets, like this:
arn:aws:secretsmanager:::secret:/Dev/*
IAM policies should always follow the principle of least privilege. This ensures that the application only has access to the minimum credentials required to perform its task. It is also recommended that naming hierarchies be provided with multiple levels. This ensures that IAM policies can be created with the least privileges.
Secrets Manager also supports resource-based policies. This means that IAM policies can be attached directly to the secret, enabling multiple users or roles to access the secret. This could be used to provide AWS cross-account access to the secret. It is also the reason that Secrets Manager supports cross-account access, where Parameter Store does not.
Updating credentials
If we need to update the value of a SecureString in Parameter Store, then we specify Overwrite=True in the PutParameter API operation:
response = ssm_client.put_parameter(
Name='/Dev/API_KEY_EX1',
Value='password2',
Overwrite=True
)
This automatically increments the version number by 1. The previous value is stored as part of the history and up to 100 parameter versions can be retained in this way. Parameter labels may be attached via a separate LabelParameterVersion operation and is useful when denoting the purpose of a parameter.
response = ssm_client.get_parameter(
Name='/Dev/API_KEY_EX1',
WithDecryption=True
)
print(response)
# {'Parameter': {'Name': '/Dev/API_KEY_EX1', 'Type': 'SecureString', 'Value': 'password2', 'Version': 2, 'LastModifiedDate': datetime.datetime(2022, 5, 14, 11, 57, 49, 530000, tzinfo=tzlocal()), 'ARN': 'arn:aws:ssm:::parameter/Dev/API_KEY_EX1', 'DataType': 'text'}, 'ResponseMetadata': {'RequestId': 'ca6c29ba-7279-47a5-aa64-cc04899cd2df', 'HTTPStatusCode': 200, 'HTTPHeaders': {'server': 'Server', 'date': 'Sat, 14 May 2022 10:59:45 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '217', 'connection': 'keep-alive', 'x-amzn-requestid': 'ca6c29ba-7279-47a5-aa64-cc04899cd2df'}, 'RetryAttempts': 0}}
If a parameter is updated a new version is created and 100 versions can be retained in the history.
In Secrets Manager, a secret can be updated via the PutSecretValue API operation.
response = sm_client.put_secret_value(
SecretId='/Dev/API_KEY_EX1',
# ClientRequestToken='string',
# SecretBinary=b'bytes',
SecretString='password2',
# VersionStages=[
# 'string',
# ]
)
print(response)
# {'ARN': 'arn:aws:secretsmanager:::secret:/Dev/API_KEY_EX1-02ArIZ', 'Name': '/Dev/API_KEY_EX1', 'VersionId': '0c5a5eb8-c82e-42da-99c9-8f4589f52f2c', 'VersionStages': ['AWSCURRENT'], 'ResponseMetadata': {'RequestId': '8f3d9282-e144-4154-9cbf-9e60046a65da', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '8f3d9282-e144-4154-9cbf-9e60046a65da', 'content-type': 'application/x-amz-json-1.1', 'content-length': '194', 'date': 'Sat, 14 May 2022 11:46:23 GMT'}, 'RetryAttempts': 0}}
In this example, the VersionStages option was omitted, so Secrets Manager automatically moves the AWSCURRENT staging label to the new version and the AWSPREVIOUS staging label is applied to the old version.
response = sm_client.list_secret_version_ids(
SecretId='/Dev/API_KEY_EX1',
# MaxResults=123,
# NextToken='string',
# IncludeDeprecated=True|False
)
print(response)
# {'Versions': [{'VersionId': '0c5a5eb8-c82e-42da-99c9-8f4589f52f2c', 'VersionStages': ['AWSCURRENT'], 'CreatedDate': datetime.datetime(2022, 5, 14, 12, 46, 23, 343000, tzinfo=tzlocal())}, {'VersionId': 'b4562e55-1a51-46e1-9ec0-61a909c1c650', 'VersionStages': ['AWSPREVIOUS'], 'LastAccessedDate': datetime.datetime(2022, 5, 14, 1, 0, tzinfo=tzlocal()), 'CreatedDate': datetime.datetime(2022, 5, 14, 11, 40, 27, 338000, tzinfo=tzlocal())}], 'ARN': 'arn:aws:secretsmanager:::secret:/Dev/API_KEY_EX1-02ArIZ', 'Name': '/Dev/API_KEY_EX1', 'ResponseMetadata': {'RequestId': 'e8607310-22de-4c31-94a3-a83e47607916', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'e8607310-22de-4c31-94a3-a83e47607916', 'content-type': 'application/x-amz-json-1.1', 'content-length': '461', 'date': 'Sat, 14 May 2022 11:49:05 GMT'}, 'RetryAttempts': 0}}
Finding credentials
There are two ways to find credentials in Parameter Store: DescribeParameters and GetParametersByPath. For more advanced usage, see the AWS guidance.
response = ssm.describe_parameters(
ParameterFilters=[
{
'Key': 'Name',
'Option': 'BeginsWith',
'Values': [
'/Dev',
]
},
],
# MaxResults=123,
# NextToken='string'
)
print(response)
# {'Parameters': [{'Name': '/Dev/API_KEY_EX1', 'Type': 'SecureString', 'KeyId': 'alias/aws/ssm', 'LastModifiedDate': datetime.datetime(2022, 5, 14, 8, 1, 24, 799000, tzinfo=tzlocal()), 'LastModifiedUser': 'arn:aws:iam:::user/parameter-store', 'Description': 'Example SecureString Parameter for Dev', 'Version': 1, 'Tier': 'Standard', 'Policies': [], 'DataType': 'text'}], 'ResponseMetadata': {'RequestId': 'd9ebb009-c8b4-47f4-8b51-fd41e8f95e0f', 'HTTPStatusCode': 200, 'HTTPHeaders': {'server': 'Server', 'date': 'Sat, 14 May 2022 08:09:30 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '311', 'connection': 'keep-alive', 'x-amzn-requestid': 'd9ebb009-c8b4-47f4-8b51-fd41e8f95e0f'}, 'RetryAttempts': 0}}
From Secrets Manager we can find secrets by using the ListSecrets API operation. Again, for more advanced usage, see the AWS guidance.
response = sm_client.list_secrets(
# MaxResults=123,
# NextToken='string',
Filters=[
{
'Key': 'name', # 'description'|'name'|'tag-key'|'tag-value'|'primary-region'|'all',
'Values': [
'/Dev',
]
},
],
# SortOrder='asc'|'desc'
)
print(response)
# {'ARN': 'arn:aws:secretsmanager:::secret:/Dev/API_KEY_EX1-02ArIZ', 'Name': '/Dev/API_KEY_EX1', 'VersionId': 'b4562e55-1a51-46e1-9ec0-61a909c1c650', 'ResponseMetadata': {'RequestId': '5d1de4c2-184b-4ccb-9c62-60216495f6b7', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '5d1de4c2-184b-4ccb-9c62-60216495f6b7', 'content-type': 'application/x-amz-json-1.1', 'content-length': '163', 'date': 'Sat, 14 May 2022 10:40:27 GMT'}, 'RetryAttempts': 0}}
Deleting credentials
With Parameter Store, the DeleteParameter or DeleteParameters API operations can be used to delete credentials. For Secrets Manager the DeleteSecret API operation can be used.
With Secrets Manager, a recovery window can be specified during deletion and this is set to 30 days by default. A secret can be restored at any time before the recovery window ends. Parameter Store does not provide a recovery window.
API quotas
Both services have API rate limits, but the default throughput per second is lower for Parameter Store. If your applications are hitting the throughput limits, you should review your API usage. This AWS blog article describes how to make use of a caching strategy when retrieving credentials.
When accessing Secrets Manager from a different AWS account, the throttle is applied against the requesting AWS account, and not the account that hosts the credentials.
Pricing
It’s possible to use Parameter Store for free by using the Standard tier. Secrets Manager does not have a free option beyond its 30-day trial period.
Parameter Store standard parameters can be upgraded to the Advanced tier, but cannot be reverted. The Advanced tier incurs additional costs. The Intelligent-Tiering option uses the Standard tier unless Advanced tier options are specified.
Storage costs
The storage costs for Secrets Manager are higher than for the Parameter Store advanced tier. However, you can store 64 KB vs 8 KB (8 times more) per secret, which explains the $0.40 vs $0.05 per month price difference.
API operations
The API call costs are equivalent per 10,000 calls. When comparing the two services and estimating API costs, it is important to consider the expected API calls required to achieve your workflow.
Storage Limits
The maximum number of credentials that can be stored in Secrets Manager is 500,000, significantly greater than the 100,000 possible with Parameter Store Advanced tier. However, this 2021 Help Net Security article states that:
“65% of IT and DevOps employees estimate their company has more than 500 secrets – and 18% say they have more than they can count”.
So these limits are unlikely to trouble even the largest organization.
Monitoring
Both services can integrate with AWS CloudTrail and Amazon CloudWatch. This makes it possible to monitor which credentials are being used by which application. AWS CloudTrail integration can also be used to see which API calls are being made to the services. With Secrets Manager, AWS provides a guide on monitoring secrets scheduled for deletion, which highlights the benefits of centralizing your credentials.
Tagging
Both services support tagging and the general guidance regarding tagging of AWS resources applies. The basic difference between tags and labels is that tags do not apply to a specific version, whereas labels do. Tagging is often used within AWS to provide oversight from a billing perspective.
VPC Endpoint
Both services can be accessed via VPC endpoints. VPC endpoints enable access to Parameter Store or Secrets Manager APIs via private IP addresses, rather than via public endpoints. However, this leads to hourly usage and data processing charges being levied against the VPC interface endpoint.
Disaster Recovery
Secrets Manager has a default recovery period of 30 days for deleted credentials. Parameter Store does not provide recovery for accidentally deleted credentials.
Secrets Manager allows you to replicate credentials to a different AWS region, acting as an effective backup.
CloudFormation
Both services integrate with AWS CloudFormation. However, in the context of credentials management, you can only create and generate a secret value with Secrets Manager. AWS CloudFormation does not support creating a Parameter Store SecureString.
Recommendations
Centralizing secrets – use case one
If your answers to our introductory questions indicated that your credentials are currently stored in configuration files, then moving to either Parameter Store or Secrets Manager would be highly recommended. The most significant learning curve is likely to come from establishing hierarchical naming conventions that help you manage your secrets. Integrating the SDKs into your applications, particularly establishing AWS IAM policies, is also likely to be complex. By using the Parameter Store Standard tier with SecureStrings, you can improve your credentials management practices for free!
AWS also provides a way to reference a Secrets Manager secret with Parameter Store. This means that you can retrieve secrets by using the Parameter Store APIs, which should simplify the code used for retrieving secrets, by allowing you to standardize on one API.
Multiple AWS accounts – use case two
Resource-based policies are supported for Secrets Manager, but not for Parameter Store. This means that cross-account access to credentials is supported with Secrets Manager. This is achieved by attaching a policy to a secret that then grants access via an IAM entity in a different AWS account. This makes Secret Manager preferable for centralizing secrets into one AWS account.
Integrated AWS Services – Use case three
If you are using Amazon RDS, Amazon DocumentDB or Amazon Redshift, then Secrets Manager provides rotation templates to programmatically rotate secrets via AWS Lambda. AWS provides a full list of AWS services that use Secrets Manager.
Credential rotation required – use case four
If your organization has existing policies that require secret rotation, then Secrets Manager supports automatic rotation. It’s actually possible to use Parameter Store policies alongside AmazonEventBridge to rotate parameters. But given that this requires the Advanced tier, it’s recommended to just use Secrets Manager, following the relevant AWS guidance.
Applications outside of AWS – use case five
Both services have integration SDKs that support multiple programming languages. Applications running outside of AWS though, will need to use credentials to make API calls to retrieve further credentials. This requires care, and in general these services are best used by applications running within AWS. When doing so, access to Parameter Store or Secrets Manager can be granted via IAM policies. For further information on accessing Parameter Store on-premise (via aws-vault), please see this AWS blog post.
|
Platform
|
Provisioning Automation |
Security Management |
Cost Management |
Regulatory Compliance |
Powered by Artificial Intelligence |
Native Hybrid Cloud Support
|
|---|---|---|---|---|---|---|
|
AWS Native Tools |
✔
|
✔
|
✔
|
|||
|
CoreStack
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
Conclusion
During this article we compared Parameter Store and Secrets Manager for use as potential credential-management solutions. Both services can certainly help you conduct better credential management, particularly when using hierarchical naming conventions. Both tools provide monitoring features that can track which credentials are being used by which applications.
If cost is your main focus though, starting with the Parameter Store Standard tier is a good bet. Conversely, if meeting your compliance requirements is key, then Secrets Manager is probably the better option. This is because it provides automated credential rotation, recovery periods for deleted credentials and can replicate credentials to different AWS regions. Further, Secrets Manager is the only solution that was designed explicitly to manage credentials. It is therefore more likely to receive updates from AWS that improve and expand this capability specifically.
Similarly, we also need to remember that Parameter Store is intended for the management of configuration data and not just credentials. As a final word of advice, if you choose to use Parameter Store and you need to store sensitive data, make sure to use the SecureString value type!