Managing AWS Secrets: Secrets Manager vs. Parameter Store

Managing sensitive data like passwords, API keys, and tokens is paramount when working with cloud infrastructure. AWS offers two primary services for this: Secrets Manager and Parameter Store. While both are designed to store and retrieve sensitive data, this blog explains their distinct purposes and different features. Read through to choose the most suitable service for you from an AWS Developer Associate perspective.

AWS Secrets Manager and Parameter Store

AWS Secrets Manager and Systems Manager Parameter Store are two services offered by Amazon Web Services (AWS) that let you securely and centrally manage your confidential data. Although the two services have different features and use cases, they offer comparable functionalities. 

One of the application management tools provided by the AWS Systems Manager (SSM) service is the AWS Systems Manager Parameter Store. Alternatively, you can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout the cycle using the AWS Secrets Manager.

Understanding the Differences in Features 

AWS Secrets Manager is designed specifically for managing secrets, such as database credentials, API keys, and OAuth tokens.

AWS Secrets Manager provides robust encryption and supports automatic secret rotation, while Systems Manager Parameter Store does not. AWS Secrets Manager supports cross-account access through resource permissions, whereas Systems Manager Parameter Store does not. AWS Secrets Manager is the best option for managing highly sensitive secrets with stringent security requirements. 

Parameter Store is designed for managing configuration data, including plaintext data and encrypted secrets. It’s suitable for storing configuration data like environment variables, database connection strings, and other application parameters.

Access control, Permission management, Security features, and Encryption capabilities of both services

It’s crucial to adhere to robust security practices to protect your sensitive data: AWS KMS supports encryption for both services with cross-account access for built-in services using resource permissions supported by AWS Secrets Manager. The ease of use and management for storing and retrieving secrets is also a crucial point to consider. Parameter Store is easier to set up and use than Secrets Manager but it has fewer features to help manage secrets. 

An AWS Developer Associate is responsible for an efficient secret management and having Hands-on Experience is crucial part in attaining the required practical knowledge.

Check out a Hands on Labs on Retrieving Secrets from AWS Secret Manager.

For secure management, follow the listed practices:

Integration and Deployment of AWS Secrets Manager and AWS Systems Manager Parameter Store

Both Secrets Manager and Parameter Store seamlessly integrate with numerous AWS services, making it easier to manage secrets and configuration data within your cloud infrastructure. 

• AWS Secrets Manager: 

• • AWS Lambda: Secrets Manager provides rotation functionality that lets you assign a Lambda function to it to handle rotation logic (changing the secret value as well as updating any integrations that need it). It also provides more fine-grained access controls to secrets via IAM Resource Policies, whereas with Parameter Store you can only specify access control on the role itself. Lastly, there are some cases (CDK comes to mind) where you can’t use Parameter Store to retrieve values.

However, Secrets Manager is much more expensive than Parameter Store ($1/mo per secret), where Parameter Store gives you up to 100k parameters for free.

• Amazon ECS: Use your Secrets Manager credentials to store and retrieve container images for use in ECS tasks.
• Amazon RDS: Automatically rotate database credentials for RDS instances.
• Amazon DynamoDB: Store and manage DynamoDB table access keys

• Parameter Store:

• • AWS Systems Manager: To store and retrieve configuration information for different Systems Manager features, including Automation, State Manager, and Patch Manager, use Parameter Store.
  • Amazon CloudFormation: Use CloudFormation templates’ reference to Parameter Store parameters to dynamically configure resources.
  • AWS CodePipeline: Use Parameter Store to store and retrieve CodePipeline pipeline configuration data.

Infrastructure as code (IaC), the AWS SDK, the console, and the CLI are how AWS facilitates the creation of AWS Secrets Manager and Systems Manager Parameter Store. Go to the AWS Secrets Manager service and select Store a new secret to generate secrets using the console for AWS Secrets Manager. Go to Systems Manager, select Parameter Store, and then click Create Parameter to establish Parameter Store using the console.

Cost and Pricing

AWS Secrets Manager charges $0.40 for each secret stored and $0.05 for every 10,000 API calls. The Systems Manager Parameter Store provides a free option (the Standard Tier) and charges $0.05 per 10,000 API calls for the Advanced Tier. The storage costs for AWS Secrets Manager are higher than those for the Systems Manager Parameter Store advanced tier.

Use Cases and Best practices for managing secrets

Use AWS Secrets Manager for managing sensitive secrets, such as database credentials, API keys, and OAuth tokens. 

Parameter Store is useful for managing non-sensitive configuration data, such as environment variables, database connection strings, and other general application parameters, as well as for managing a wide range of configuration data and secrets with basic security requirements.

Choosing the Right Solution

Better can be different for different people, as some would suit one better and the other would suit the other better; it only depends on the needs. While Secrets Manager and Parameter Store are excellent tools for secret management, other factors must be considered when designing your cloud infrastructure. 

It depends on the use case and constraints you’re under. A credential of any form really should be encrypted with a key that you manage. Secrets manager secrets are always encrypted and have the option of a scheduled rotation via a lambda function. Parameter store values can be encrypted but have no built-in rotation facility. Secrets Manager is $1/mo per secret, while Parameter Store (standard tier) is free.

If you’re managing an organization where teams are managing resources in their accounts, Secrets Manager makes it easier to ensure that credentials are encrypted. While Parameter Store is far cheaper, it’s also easier for teams to get it wrong. 

It works great when the downstream service can automate credential rotation, like RDS for example. But if a vendor or an enterprise service doesn’t have a mechanism to issue new credentials, a rotation lambda is useless and you’re stuck updating the secret manually.

Also, 

• If you’re managing multiple accounts or an organization where teams deploy their AWS resources, use Secrets Manager for all credentials. It’s simply less error-prone, especially for junior teams.
• If you are managing the accounts and know what you’re doing, you don’t get any advantage out of rotation, and you don’t need to share the parameter with another account, the parameter store is more cost-effective.

In many cases, you may need to use both services concurrently to successfully meet the requirements of your specific use case. 

Example case:
Parameter Store has a very low requests per second limit, This matters in a high traffic lambda environment where lambdas may get recycled frequently, and there are situations where you lose force with the parameter store RPS limit and lambdas start failing.

For a current similar task, using a secrets manager (few secrets, high read volume) and a caching layer (AWS Lambda PowerTools has a nice package for this)

Conclusion

You can efficiently manage secrets and configuration data in your AWS environment while upholding a high level of security by adhering to these best practices and carefully taking into account the above-mentioned. The best choice for you depends on the sensitivity of your data and your specific requirements. Consider your specific needs and use cases when deciding the secret management. Talk to our experts in case of queries!

• About the Author
• More from Author

About Banu Sree Gowthaman

Banu is a passionate cloud connoisseur with a knack for simplifying complex concepts. She specializes in demystifying cloud computing and digital transformation. She creates content that empowers businesses and tech enthusiasts to harness the full potential of the cloud. Her blogs feature innovative solutions in the cloud space, tutorials, and industry updates, making cloud technology accessible to all levels of expertise, from beginners to seasoned professionals.

• Managing AWS Secrets: Secrets Manager vs. Parameter Store - November 15, 2024
• FinOps Certified Practitioner FOCP Preparation Guide - November 14, 2024
• Navigate Complex Cloud Migrations with AWS CSA Pro Help - November 13, 2024
• AWS ML Workflow: Certification Best Practices - November 11, 2024
• What is Amazon ECS? - October 25, 2024
• AWS Certified AI Practitioner – New Online Course Launched - October 4, 2024
• New Syllabus Changes: GCP Professional ML Engineer Certification to Include Gen AI Solutions from October 2024 - September 13, 2024
• Preparation Guide for AWS Developer Associate Certification DVA-C02 - February 9, 2023