Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS Secrets Manager vs Parameter Store: Zero-Fluff, Hands-On Guide**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-secrets-manager-vs-parameter-store-zero-fluff-hands-on-guide

TECH **AWS Secrets Manager vs Parameter Store: Zero-Fluff, Hands-On Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

AWS Secrets Manager vs Parameter Store: Zero-Fluff, Hands-On Guide

(For AWS Solutions Architect – Associate & Real-World Cloud Engineers)


1. What This Is & Why It Matters

You’re a cloud engineer at a fintech startup. Your team just migrated a monolithic app to AWS, and the database credentials are hardcoded in a config.py file. Your CISO flags this as a critical security risk—if the repo leaks, attackers get the keys to your production database. Worse, rotating credentials means manually updating every service that uses them.

This is where AWS Secrets Manager and Parameter Store come in.
Both services let you store, retrieve, and rotate secrets (passwords, API keys, DB credentials) securely, but they’re not interchangeable. Picking the wrong one can: - Break your app (if you need automatic rotation but use Parameter Store).
- Blow your budget (Secrets Manager costs 10x more for the same secret).
- Fail compliance audits (if you need encryption with customer-managed KMS keys but use the wrong service).

Real-world scenario:
You’re deploying a serverless app with Lambda, RDS, and API Gateway. You need: 1. Database credentials (rotated every 30 days).
2. API keys (static, used by multiple services).
3. Environment variables (like STAGE=prod).

Which service do you use for each? This guide will answer that—and show you how to implement it.


2. Core Concepts & Components


? AWS Secrets Manager

  • Definition: A managed service for storing, rotating, and retrieving secrets (credentials, API keys, certificates) with automatic rotation and fine-grained access control.
  • Production insight:
  • If you must rotate secrets automatically (e.g., RDS passwords), Secrets Manager is your only option.
  • If you don’t need rotation, you’re paying $0.40/secret/month for a feature you don’t use (Parameter Store is free for standard parameters).

? AWS Systems Manager Parameter Store (SSM Parameter Store)

  • Definition: A hierarchical key-value store for configuration data (environment variables, DB endpoints) and secrets (with optional encryption).
  • Production insight:
  • Free for standard parameters (up to 10,000 parameters).
  • Advanced parameters (with encryption, versioning, or >4KB size) cost $0.05/parameter/month.
  • No built-in rotation—you must handle it manually or via Lambda.

? Key Differences (Cheat Sheet)

Feature Secrets Manager Parameter Store (Standard) Parameter Store (Advanced)
Cost $0.40/secret/month Free (up to 10,000 params) $0.05/parameter/month
Max size 64KB 4KB 8KB
Encryption Always (KMS) Optional (KMS) Always (KMS)
Automatic rotation ✅ Yes (via Lambda) ❌ No ❌ No
Versioning ✅ Yes ✅ Yes ✅ Yes
IAM policies Fine-grained (per secret) Fine-grained (per parameter) Fine-grained (per parameter)
Cross-account access ✅ Yes ✅ Yes ✅ Yes
Use case DB credentials, API keys Configs, env vars, static secrets Large configs, encrypted secrets

When to use which?
- Use Secrets Manager if:
- You need automatic rotation (e.g., RDS, Redshift, or third-party API keys).
- You need audit logs for secret access (CloudTrail).
- You’re PCI-DSS or HIPAA compliant (Secrets Manager is pre-approved).
- Use Parameter Store if:
- You need free/cheap storage for configs (e.g., DB_HOST=prod-db.example.com).
- You’re storing non-sensitive data (e.g., feature flags, environment variables).
- You need hierarchical paths (e.g., /prod/app/db-url).


3. Step-by-Step Hands-On: Storing & Retrieving Secrets


Prerequisites

✅ AWS account with admin IAM permissions (or at least secretsmanager:* and ssm:*).
✅ AWS CLI installed (aws --version).
✅ A test secret (e.g., DB_PASSWORD=SuperSecret123!).


Task 1: Store a Database Password in Secrets Manager

Goal: Securely store an RDS password and enable automatic rotation.


Step 1: Create a Secret

aws secretsmanager create-secret \
  --name "prod/rds/master-password" \
  --description "Master password for prod RDS instance" \
  --secret-string '{"username":"admin","password":"SuperSecret123!"}' \
  --kms-key-id "alias/aws/secretsmanager"  # Use default KMS key

Expected output:


{
  "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/rds/master-password-abc123",
  "Name": "prod/rds/master-password",
  "VersionId": "abc123-456-def-789"
}

Step 2: Enable Automatic Rotation (30 Days)

aws secretsmanager rotate-secret \
  --secret-id "prod/rds/master-password" \
  --rotation-lambda-arn "arn:aws:lambda:us-east-1:123456789012:function:SecretsManagerRotation" \
  --rotation-rules "{\"AutomaticallyAfterDays\": 30}"

⚠️ Note:
- You must have a Lambda function for rotation (AWS provides a template).
- For RDS, AWS has a pre-built rotation Lambda (search for AWSSecretsManagerRDSMySQLRotationSingleUser in Lambda).


Step 3: Retrieve the Secret in a Lambda Function (Python)

import boto3
import json

def lambda_handler(event, context):
client = boto3.client('secretsmanager')
response = client.get_secret_value(SecretId='prod/rds/master-password')
secret = json.loads(response['SecretString'])
db_user = secret['username']
db_pass = secret['password']
print(f"Connecting to DB with user: {db_user}")
# Use db_pass to connect to RDS
return {"status": "success"}

Expected output:


{"status": "success"}


Task 2: Store an API Key in Parameter Store

Goal: Store a static API key (no rotation needed) in Parameter Store.


Step 1: Store a Secure String (Encrypted)

aws ssm put-parameter \
  --name "/prod/api/stripe-key" \
  --value "sk_test_51ABC123..." \
  --type "SecureString" \
  --key-id "alias/aws/ssm"  # Use default KMS key

Expected output:


{
  "Version": 1,
  "Tier": "Standard"
}

Step 2: Retrieve the Parameter in a Lambda Function (Python)

import boto3

def lambda_handler(event, context):
client = boto3.client('ssm')
response = client.get_parameter(
Name='/prod/api/stripe-key',
WithDecryption=True
)
api_key = response['Parameter']['Value']
print(f"Using Stripe API key: {api_key[:5]}...") # Don't log full key!
return {"status": "success"}

Expected output:


{"status": "success"}


Task 3: Compare Costs (Secrets Manager vs Parameter Store)

Goal: Estimate monthly costs for 100 secrets.


Service Cost per Secret Total for 100 Secrets
Secrets Manager $0.40 $40/month
Parameter Store (Std) Free $0/month
Parameter Store (Adv) $0.05 $5/month

Production insight:
- If you don’t need rotation, Parameter Store (Standard) is free.
- If you need rotation, Secrets Manager is mandatory (but costs more).


4. ? Production-Ready Best Practices


Security

Least privilege IAM policies:
- Never use secretsmanager:* or ssm:* in production.
- Example policy for Lambda:
json {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/*",
"arn:aws:ssm:us-east-1:123456789012:parameter/prod/*"
]
}
] }

Enable CloudTrail logging for secret access:


aws cloudtrail create-trail --name SecretsAudit --s3-bucket-name my-audit-logs

Use customer-managed KMS keys (not AWS-managed) for compliance:


aws kms create-key --description "Key for Secrets Manager"

Cost Optimization

Use Parameter Store for static configs (free tier).
Use Secrets Manager only for rotating secrets (e.g., RDS, API keys).
Delete unused secrets (Secrets Manager charges per secret, even if unused).

Reliability & Maintainability

Use hierarchical naming (e.g., /prod/app/db-url, /dev/app/db-url).
Tag secrets for cost allocation:


aws secretsmanager tag-resource \
  --secret-id "prod/rds/master-password" \
  --tags Key=Environment,Value=Production Key=Team,Value=Backend

Enable versioning (both services support it).

Observability

Monitor secret access with CloudWatch:


aws logs put-metric-filter \
  --log-group-name "/aws/secretsmanager" \
  --filter-name "SecretAccess" \
  --filter-pattern "{ $.eventName = \"GetSecretValue\" }" \
  --metric-transformations metricName=SecretAccess,metricNamespace=Secrets,metricValue=1

Set up alerts for failed rotations (Secrets Manager).


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Storing rotating secrets in Parameter Store Manual rotation fails, compliance audit fails. Use Secrets Manager for rotating secrets.
Using String instead of SecureString in Parameter Store Secrets are stored in plaintext (visible in console). Always use SecureString for secrets.
Not restricting IAM policies Over-permissive access leads to data breaches. Use least privilege (e.g., secretsmanager:GetSecretValue only).
Forgetting to enable KMS encryption Secrets are encrypted with AWS-managed keys (not compliant). Use customer-managed KMS keys.
Not testing rotation Lambda Rotation fails silently, secrets expire. Test rotation in staging before production.


6. ? Exam/Certification Focus (AWS SAA)


Typical Question Patterns

  1. "Which service supports automatic rotation?"
  2. Secrets Manager (Parameter Store does not).
  3. ❌ Parameter Store (even Advanced).

  4. "You need to store a 5KB API key. Which service should you use?"

  5. Secrets Manager (supports up to 64KB).
  6. ❌ Parameter Store (max 4KB for Standard, 8KB for Advanced).

  7. "You need to store 1,000 environment variables for free. Which service?"

  8. Parameter Store (Standard) (free up to 10,000 parameters).
  9. ❌ Secrets Manager ($0.40/secret/month).

  10. "Which service is PCI-DSS compliant by default?"

  11. Secrets Manager (Parameter Store requires extra config).

Key ⚠️ Trap Distinctions

Feature Secrets Manager Parameter Store
Rotation ✅ Built-in ❌ Manual
Cost Expensive ($0.40/secret) Free (Standard) / Cheap (Advanced)
Max Size 64KB 4KB (Standard) / 8KB (Advanced)
Compliance PCI-DSS, HIPAA Requires extra config


7. ? Hands-On Challenge (With Solution)


Challenge

You’re deploying a Lambda function that needs: 1. A database password (rotated every 30 days).
2. A Stripe API key (static, no rotation).
3. An environment variable (STAGE=prod).

Which AWS service should you use for each, and how would you retrieve them in Python?

Solution

import boto3
import os

def lambda_handler(event, context):
# 1. Database password (Secrets Manager - rotation needed)
secrets_client = boto3.client('secretsmanager')
db_secret = secrets_client.get_secret_value(SecretId='prod/rds/master-password')
db_creds = json.loads(db_secret['SecretString'])
# 2. Stripe API key (Parameter Store - static)
ssm_client = boto3.client('ssm')
stripe_key = ssm_client.get_parameter(
Name='/prod/api/stripe-key',
WithDecryption=True
)['Parameter']['Value']
# 3. Environment variable (Lambda env vars - simplest)
stage = os.environ['STAGE']
return {
"db_user": db_creds['username'],
"stripe_key_prefix": stripe_key[:5], # Don't log full key!
"stage": stage
}

Why this works:
- Secrets Manager for the rotating DB password (compliance + automation).
- Parameter Store for the static Stripe key (cheaper, no rotation needed).
- Lambda env vars for non-sensitive configs (simplest option).


8. ? Rapid-Reference Crib Sheet


Secrets Manager

# Create a secret
aws secretsmanager create-secret --name "prod/db/password" --secret-string '{"username":"admin","password":"..."}'

# Rotate a secret (30 days)
aws secretsmanager rotate-secret --secret-id "prod/db/password" --rotation-lambda-arn "arn:aws:lambda:..." --rotation-rules '{"AutomaticallyAfterDays": 30}'

# Retrieve a secret (CLI)
aws secretsmanager get-secret-value --secret-id "prod/db/password"

# Retrieve a secret (Python)
import boto3
client = boto3.client('secretsmanager')
secret = client.get_secret_value(SecretId='prod/db/password')

Parameter Store

# Store a secure parameter
aws ssm put-parameter --name "/prod/api/key" --value "sk_test_..." --type "SecureString"

# Retrieve a parameter (CLI)
aws ssm get-parameter --name "/prod/api/key" --with-decryption

# Retrieve a parameter (Python)
import boto3
client = boto3.client('ssm')
param = client.get_parameter(Name='/prod/api/key', WithDecryption=True)

Key Defaults & Traps

⚠️ Secrets Manager costs $0.40/secret/month (even if unused).
⚠️ Parameter Store (Standard) has a 4KB size limit.
⚠️ Rotation Lambda must be in the same region as the secret.
⚠️ KMS encryption is mandatory for Secrets Manager (optional for Parameter Store).


9. ? Where to Go Next

  1. AWS Secrets Manager User Guide (Official docs)
  2. AWS Parameter Store User Guide (Official docs)
  3. Secrets Manager Rotation Lambda Templates (GitHub)
  4. AWS Well-Architected Framework: Secrets Management (Best practices)

Final Takeaway

  • Use Secrets Manager when you need rotation (RDS, API keys) or compliance (PCI-DSS, HIPAA).
  • Use Parameter Store when you don’t need rotation (static configs, env vars) or want to save costs.
  • Never hardcode secrets—always use IAM policies + KMS encryption.

Now go delete those hardcoded passwords from your config.py files! ?



ADVERTISEMENT