AWS Parameter Store vs. AWS Secrets Manager

AWS provides two managed services to help with storing parameters and secrets used by applications. Security best practices are adhered to when making use of both services:

Secrets Manager

It was designed specifically for confidential information (like database credentials, API keys) that needs to be encrypted, so the creation of a secret entry has encryption enabled by default. It also gives additional functionality like rotation of keys.

Parameter Store

It was designed to cater to a wider use case, not just secrets or passwords, but also application configuration variables like URLs, Custom settings, AMI IDs, License keys, etc.

Use Secrets Manager to store confidential secrets like database credentials, API keys, OAuth tokens. Use Parameter Store to store other application settings, environmental config data, License codes, etc.

Key Differences

  • There is no additional Cost for using Parameter Store. However, there are limit of 10,000 parameters per account. On the other hand, AWS Secrets Manager does accrue additional costs. At the time of this writing, it costs $0.40 per secret stored and additional $0.05 for 10,000 API calls.
  • Cross-account Access is only supported on Secrets Manager, this is useful if secrets are centrally managed from another AWS account or beneficial for use cases where a customer needs to share a particular secret with a partner.
  • Another unique feature for Secrets Manager is the fact that Secrets Rotation is available at any given time. We need to write custom functions for the feature to work with Parameter Store.


Always store secrets in Secrets Manager or Parameter Store instead of storing them in a config file or hard-coded in applications.