AWS Parameter Store vs. AWS Secrets Manager
AWS provides two managed services to help with storing parameters and secrets used by applications. Security best practices are adhered to when making use of both services:
Secrets Manager
It was designed specifically for confidential information (like database credentials, API keys) that needs to be encrypted, so the creation of a secret entry has encryption enabled by default. It also gives additional functionality like rotation of keys.
Parameter Store
It was designed to cater to a wider use case, not just secrets or passwords, but also application configuration variables like URLs, Custom settings, AMI IDs, License keys, etc.
Use Secrets Manager to store confidential secrets like database credentials, API keys, OAuth tokens. Use Parameter Store to store other application settings, environmental config data, License codes, etc.
Key Differences
- There is no additional
Costfor using Parameter Store. However, there are limit of 10,000 parameters per account. On the other hand, AWS Secrets Manager does accrue additional costs. At the time of this writing, it costs $0.40 per secret stored and additional $0.05 for 10,000 API calls. -
Cross-account Accessis only supported on Secrets Manager, this is useful if secrets are centrally managed from another AWS account or beneficial for use cases where a customer needs to share a particular secret with a partner. - Another unique feature for Secrets Manager is the fact that
Secrets Rotationis available at any given time. We need to write custom functions for the feature to work with Parameter Store.
Summary
Always store secrets in Secrets Manager or Parameter Store instead of storing them in a config file or hard-coded in applications.