An Inside Look At AWS Secrets Manager vs AWS Systems Manager Parameter Store

In this article we explore the similarities and differences between AWS Secrets Manager and AWS Systems Manager Parameter store. Let's dig in!

Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.

Amazon Web Services introduced AWS Secrets Manager in 2018. It's a service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS cloud, on third-party services, and on-premises.

Well, let’s take a step back to the old days of yore, just after politicians invented the internet ;-). Maybe we were developing web applications in old school ASP or any other language. And what if we had a database we wanted to connect to? No problem, let’s open up Netscape and do a search on connection strings for our database. Ah, there it is, really cool. We can plug this connection string right into our ASP code, hardcode our database credentials inline, access our database, perform a query, return a recordset and go to work on it! But of course there are always bad guys lurking around waiting for the good guys to do something stupid. And the something stupid turned out to be hardcoding your database credentials right in your code.

Hackers probably learn how to grab this information in the first week of Hacker Boot Camp. So the good guys learn from their mistakes, get a new job after being fired for the massive security breach, and learn to remove the database credentials inline from their code. They create config files and reference their secrets in the config files from their code. And this is certainly a better solution than hard coding credentials. AWS comes along and other options become available.

In AWS, developers could store their secrets in S3 and even encrypt the data at rest and in transit. As we know all too well, things move and evolve quickly in AWS. First came AWS Systems Manager Parameter Store. Parameter Store is a secured and managed key/value store, perfect for storing parameters, secrets, and configuration information. And then in April 2018 AWS announced Secrets Manager that offers similar functionality. So how do they differ and what are their similarities?

Let's start with the similarities. And there are a lot of them, which begs the question, what’s the point of having both services? And it’s probably best to reserve judgment on that, as it is a good bet that AWS will continue to evolve Secrets Manager. But for now, let’s talk about the similarities.

First, there is the encryption. Both AWS Secrets Manager and AWS Systems Manager Parameter Store use AWS KMS to encrypt values. KMS is a managed service that enables you to easily encrypt your data. AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.

With KMS, and with the help of IAM, you can use policies to control permissions on which IAM users and roles have permission to decrypt the value. So the ability to easily encrypt your secrets is a huge feature for both Parameter Store and Secrets Manager. With IAM alone, you can control access to your secrets. Is encryption simply an extra layer of security for your secrets? Well, it can be, but what if encryption of your secrets is a compliance requirement? Well, it comes right out of the box with either Parameter Store or Secrets Manager.

So, if you’re looking to encrypt secrets, how do you decide between the two? In this case, Parameter Store provides a bit more versatility. It has the option to store data unencrypted or to encrypt the data with a KMS key. With Secrets Manager, the secrets are stored encrypted and there's no option to store unencrypted data. So that's one use case for Parameter Store.

Another important similarity is managed key/value store services. Both services allow you to store values under a name or key. They can also both store values up to 4096 characters and your keys can have prefixes. The final similarity I’ll mention is that both of these services can interact with AWS CloudFormation. Let’s remember that CloudFormation is infrastructure as code, so storing secrets in CloudFormation Templates is just the kind of bad practice that we want to get away from by using Parameter Store or Secrets Manager.

Values are referenceable in CloudFormation templates in both Parameter Store or Secrets Manager, so you don't have to hard code your secrets! There's no excuse for hard coding such things as database passwords in your CloudFormation Templates. Your templates are code, and they should be handled with the same care, with an eye on security, as your application code. You can store your username and password in a secret and your CloudFormation template can reference that secret so you only have a pointer to the value in your template.

OK, now we need to discuss the differences between Secrets Manager and Parameter. And let’s jump right to the bottom line, Cost.

Parameter Store comes with no additional charges. There's a limit on the number of parameters you can store, and that limit is currently 10,000. AWS Secrets Manager does come with additional cost, and that cost is currently $0.40 per secret stored. Also, there's an additional $0.05 per every 10,000 API calls. We’re talking cents here and it doesn’t sound like much, but as you would expect, these cents can add up for a large organization and should be considered if you are storing large amounts of secrets.

Where AWS Secrets Manager begins to win the day is the ability to automatically rotate secrets. Out of the box, AWS Secrets Manager provides full key rotation integration with Amazon RDS. What does this mean for you? Well, Secrets Manager can rotate keys and actually apply the new key/password in RDS for you. We all know we should rotate our keys, but do we actually do it? Secrets Manager makes it very simple to automate this process.

What about key rotation for services other than RDS? We can use another valuable tool in the toolbox: AWS Lambda! You can use Lambda to write a function to rotate your keys, and this is integrated directly in the Secrets Manager console.

Another huge difference, and again, a win for Secrets Manager, is the ability to generate random secrets. You can randomly generate passwords in CloudFormation and store the password in Secrets Manager. And this is not just functionality for CloudFormation. The SDK can be used to do this in your application code. A final difference, and another win for Secrets Manager, is that secrets can be shared across accounts.

Master modern tech skills, get certified, and level up your career. Whether you’re starting out or a seasoned pro, you can learn by doing and advance your career in cloud with ACG.