Secrets — Concept (Secrets Manager vs Parameter Store)
Why this group
Apps need passwords, API keys, DB credentials, certificates. Hardcoding or putting them in env vars/EC2 user-data is unsafe. AWS provides two services:
- AWS Secrets Manager — purpose-built secret store with rotation.
- AWS Systems Manager Parameter Store — general-purpose config & parameter store; can also hold secrets.
Comparison
| Secrets Manager | Parameter Store |
|---|
| Encryption | KMS by default | Optional (SecureString uses KMS) |
| Rotation | Built-in automatic rotation (RDS, Aurora, Redshift, DocumentDB) via Lambda | None built-in (DIY) |
| Versioning | Yes (AWSCURRENT, AWSPENDING, AWSPREVIOUS) | Yes (numeric versions) |
| Resource policies | Yes | Limited (advanced tier supports policies) |
| Cross-account | Yes via resource policy | Limited |
| Cost | ~$0.40 / secret / month + $0.05 / 10k API calls | Free standard tier; advanced ~$0.05 / param / month |
| Size | up to 64 KB | Standard: 4 KB / Advanced: 8 KB |
| Use | Real secrets (DB creds, API keys) needing rotation | Mostly non-secret config (env names, feature flags, AMI IDs, etc.) |
Secrets Manager features
- Automatic rotation via Lambda function (managed templates for RDS family).
- Cross-region replication for DR (multi-region secrets).
- Tight integration with RDS / Aurora / Redshift / DocumentDB / DMS.
- IAM + resource policies + KMS for control.
- CloudTrail logs every access.
Parameter Store features
- Hierarchical parameter naming (
/myapp/prod/db/password).
- Standard (free, 4 KB) and Advanced (cost, 8 KB, policies, expiration, notifications).
- Native integration in CloudFormation / CDK / SSM Documents / Lambda env via SSM extension.
- Can reference Secrets Manager secrets transparently (
/aws/reference/secretsmanager/MySecret).
Common use patterns
- DB credentials with auto-rotation → Secrets Manager.
- Feature flags / non-secret config → Parameter Store (Standard).
- Public AMI IDs in CloudFormation → Parameter Store (free, cacheable).
- Cross-account API key sharing → Secrets Manager + resource policy.
When to use vs alternatives
| Need | Use |
|---|
| Auto-rotate DB password | Secrets Manager |
| Free, simple config | Parameter Store |
| Hold a TLS cert | ACM (or Secrets Manager) |
| Encryption keys | KMS |
| Large opaque blobs | S3 (with KMS) |
Common exam scenarios
- "Auto-rotate RDS MySQL password every 30 days" → Secrets Manager with rotation Lambda.
- "Store DB endpoint and AMI ID for templates, free" → Parameter Store (Standard).
- "Share an API key with another account" → Secrets Manager with resource policy.
- "Multi-region active-active secret" → Secrets Manager replication.
- "Old workload uses env vars containing passwords" → migrate to Secrets Manager + IAM.
Exam tip
- Rotation needed → Secrets Manager.
- Free + non-secret config → Parameter Store.
- Both can be encrypted with KMS and audited via CloudTrail.
References