The Secrets Management Confusion
AWS offers three different services for managing secrets and configuration:
- AWS Secrets Manager - $0.40/secret/month
- AWS Systems Manager Parameter Store - Free (standard) or $0.05/parameter/month (advanced)
- AWS AppConfig - Pay per deployment
Most teams ask: "Which one should I use?" The answer: It depends on your use case. Using the wrong service costs money and adds complexity.
This guide provides clear decision criteria to help you choose the right service for each scenario.
TL;DR
AWS offers three services for secrets and configuration management, but most teams use the wrong one—wasting money on premium features they don't need. Secrets Manager costs $0.40/secret/month, Parameter Store is free (or $0.05/month advanced), AppConfig charges per deployment. Choosing correctly saves money without sacrificing security.
The Decision Framework: Need automatic rotation? → Secrets Manager. Changes frequently during runtime? → AppConfig. Static config or simple secrets? → Parameter Store. Match service to use case.
Key Takeaways:
- Secrets Manager for rotating credentials only - Database passwords, OAuth tokens, API keys with lifecycle management. Built-in rotation for RDS, DocumentDB, Redshift. $0.40/month per secret.
- Parameter Store for static configuration - Application settings, environment variables, non-rotating secrets. Standard tier FREE (4KB limit). Advanced $0.05/month (8KB, 100K params).
- AppConfig for dynamic feature flags - Configuration with gradual rollout, validation, automatic rollback. $0.08 per deployment. 1M requests/month free tier.
- Cost optimization through service selection - Optimal mix for 50 secrets/configs: 5 Secrets Manager ($2.00) + 40 Parameter Store ($0.00) + 5 AppConfig ($0.40) = $2.40/month vs $20.00 all Secrets Manager.
Core Principle: Right tool for the job—use the cheapest service meeting your security and operational requirements. Don't pay for Secrets Manager features when Parameter Store's free tier suffices.
The Three Services Explained
AWS Secrets Manager: For Sensitive Credentials
Best For:
- Database passwords
- API keys
- OAuth tokens
- Third-party service credentials
- Any secret requiring automatic rotation
Key Features:
- Automatic Rotation: Built-in Lambda functions for RDS, DocumentDB, Redshift
- Cross-Account Access: Easy sharing via resource policies
- Fine-Grained IAM: Control who reads, writes, or rotates
- Audit Trail: CloudTrail logs all access
- Encryption: KMS encryption at rest
- Versioning: Automatic version management
Pricing:
- $0.40 per secret per month
- $0.05 per 10,000 API calls
- First 30 days free for new secrets
When to use: Database credentials that need automatic rotation, API keys for third-party services, any secret where lifecycle management matters.
AWS Systems Manager Parameter Store: For Configuration Data
Best For:
- Application configuration
- Environment variables
- Feature flags (simple)
- Non-sensitive data
- Simple secrets (no rotation needed)
Key Features:
- Free Tier: Standard parameters are free
- Hierarchical: Organize with paths like
/app/prod/db/host - CloudFormation Integration: Native support for dynamic references
- Change Notifications: EventBridge integration
- Versioning: Track parameter history
Pricing:
| Tier | Cost | Limit | Use Case |
|---|---|---|---|
| Standard | FREE | 4KB, 10,000 params | Config data |
| Advanced | $0.05/param/month | 8KB, 100,000 params | Large configs |
When to use: Application settings, environment-specific configuration, connection strings, non-rotating API keys.
AWS AppConfig: For Dynamic Configuration
Best For:
- Feature flags
- Application configuration with gradual rollout
- A/B testing parameters
- Runtime configuration changes
- Configuration with validation rules
Key Features:
- Deployment Strategies: Gradual rollout, canary, all-at-once
- Validators: JSON Schema and Lambda validation
- Rollback: Automatic rollback on errors
- Real-Time: Changes without redeployment
- Feature Flags: Built-in feature flag management
Pricing:
- $0.08 per configuration deployment
- $0.000008 per configuration request (beyond free tier)
- Free tier: 1M requests/month
When to use: Feature flags, configuration that changes frequently during runtime, settings that need gradual rollout or validation.
Decision Framework
Quick Decision Tree
Ask these questions in order:
-
Does it need automatic rotation?
- YES → Secrets Manager
- NO → Continue
-
Does it change frequently during runtime?
- YES → AppConfig
- NO → Continue
-
Is it sensitive?
- YES → Secrets Manager or Parameter Store (SecureString)
- NO → Parameter Store (String)
The Principle: Right Tool for the Job
Each service has a sweet spot. Using Secrets Manager for static configuration wastes money. Using Parameter Store for rotating credentials is insecure. Match the service to the use case.
Detailed Comparison
| Scenario | Best Service | Why |
|---|---|---|
| Database password with rotation | Secrets Manager | Only service with built-in rotation |
| Static API keys | Parameter Store (SecureString) | Cost-effective, secure enough |
| Application config | Parameter Store | Free, hierarchical organization |
| Feature flags | AppConfig | Gradual rollout, validation |
| Environment variables | Parameter Store | Free, easy to manage |
| Config with rollback | AppConfig | Only service with deployment strategies |
| Cross-account secrets | Secrets Manager | Easy resource policies |
| Large configs (>4KB) | Secrets Manager or AppConfig | 64KB limit vs 4KB in Parameter Store |
Cost Comparison Example
Scenario: Store 50 application secrets/configs
| Service | Monthly Cost | Use Case |
|---|---|---|
| Secrets Manager (50 secrets) | $20.00 | All rotating credentials |
| Parameter Store Standard | $0.00 | Static config values |
| Parameter Store Advanced | $2.50 | Large configs |
| AppConfig (100 deployments) | $8.00 | Feature flags |
Optimal Mix:
- 5 Secrets Manager (databases) = $2.00
- 40 Parameter Store Standard (config) = $0.00
- 5 AppConfig (feature flags) = $0.40
- Total: $2.40/month vs. $20.00 for all Secrets Manager
The principle is cost optimization through service selection. Use the cheapest service that meets your requirements.
Implementation Patterns
Pattern 1: Database Credentials with Rotation
Architecture:
- Secrets Manager stores database credentials
- RDS instance references secret at creation
- Rotation Lambda runs on schedule (e.g., 30 days)
- Applications fetch secret at runtime with caching
Key principles:
- Automatic rotation: Credentials rotate without downtime
- Single source of truth: Secret in Secrets Manager, not in application config
- Cache with expiry: Applications cache credentials, refresh periodically
Pattern 2: Hierarchical Application Configuration
Architecture:
- Parameter Store organizes config by path:
/app/env/component/key - Applications fetch parameters by path prefix
- Different environments use different path prefixes
Example hierarchy:
/myapp/
├─ global/ (shared across environments)
├─ dev/
│ ├─ db/host
│ ├─ db/port
│ └─ api/key
└─ prod/
├─ db/host
├─ db/port
└─ api/key
Key principles:
- Convention over configuration: Consistent naming enables automation
- Environment isolation: Same paths, different prefixes
- Bulk retrieval: Get all params under a path with one API call
Pattern 3: Feature Flags with Gradual Rollout
Architecture:
- AppConfig stores feature flag configuration
- Deployment strategy controls rollout (e.g., 10% → 50% → 100%)
- Validators ensure configuration is valid before deployment
- Applications poll for changes
Key principles:
- Safe deployments: Canary rollout catches issues before full deployment
- Instant rollback: Revert to previous version if errors detected
- Percentage-based: Roll out features to subset of users
Migration Strategies
From Environment Variables to Parameter Store
Why migrate:
- Environment variables in deployment configs are hard to change
- No audit trail of who changed what
- Secrets in environment variables may be logged
Migration steps:
- Export current config: Document all environment variables
- Create naming convention: Define hierarchical structure
- Store in Parameter Store: Use SecureString for sensitive values
- Update application code: Fetch from Parameter Store instead of env vars
- Remove from deployment: Delete environment variables from configs
Key principle: Centralized configuration. Configuration in Parameter Store is versioned, audited, and changeable without redeployment.
From Parameter Store to Secrets Manager
Why migrate:
- Need automatic rotation
- Cross-account access required
- Compliance mandate for secrets management
When NOT to migrate:
- Static configuration that doesn't need rotation
- Non-sensitive data
- Cost is a concern (Secrets Manager is 10x more expensive)
Key principle: Right-size your security. Don't over-engineer if Parameter Store meets your needs.
Best Practices
1. Use Descriptive Naming Conventions
Pattern: /app/env/component/key
Good: /myapp/prod/database/host
Bad: /db_host or /prod_config
Consistent naming enables automation, discovery, and management at scale.
2. Tag Everything
Add tags to all secrets and parameters:
- Environment: production, staging, dev
- Application: Which app uses this
- CostCenter: For cost allocation
- ManagedBy: terraform, manual, etc.
Tags enable cost tracking, access control, and automation.
3. Implement Least Privilege
Principle: Applications should only read the secrets they need.
- Use resource-based conditions in IAM policies
- Restrict by secret name pattern or tag
- Explicitly deny delete and write operations for application roles
4. Enable Rotation for Critical Secrets
Principle: Assume credentials will be compromised. Rotation limits the window of exposure.
- 30-day rotation for database credentials
- 90-day rotation for API keys
- Immediate rotation after suspected compromise
5. Monitor Access
Create CloudWatch alarms for:
- Unauthorized access attempts (AccessDenied events)
- Unusual access patterns (spike in GetSecretValue calls)
- Failed rotation attempts
6. Use Caching
Principle: Balance freshness against API costs and latency.
- Cache secrets in application memory
- Refresh every 1-24 hours depending on rotation schedule
- Use SDK caching features where available
Cost Optimization
Use the Cheapest Service That Works
- Start with Parameter Store Standard (free)
- Use Secrets Manager only for rotating credentials
- Use AppConfig only for dynamic configuration
Consolidate Small Parameters
Before (3 parameters):
/app/prod/db/host
/app/prod/db/port
/app/prod/db/name
After (1 parameter):
/app/prod/db/config → {"host":"...","port":5432,"name":"..."}
Fewer parameters = lower cost (for Advanced tier) and fewer API calls.
Right-Size Retention
- Secrets Manager keeps all versions (no cost difference)
- Parameter Store keeps history automatically (no cost)
- CloudTrail logs add storage costs—archive old logs to S3 Glacier
Quick Start Checklist
For New Projects:
- Use Secrets Manager for database credentials
- Use Parameter Store for application config
- Use AppConfig for feature flags
- Implement hierarchical naming (e.g.,
/app/env/component/key) - Enable encryption for all secrets
- Set up automatic rotation for databases
- Tag all secrets and parameters
- Implement least-privilege IAM policies
- Enable CloudTrail logging
- Set up monitoring and alerts
Get Expert Help
Choosing the right secrets management strategy is critical for security, compliance, and cost optimization. At ZSoftly, we help businesses implement secure, scalable secrets management.
Our Services:
- Architecture design for secrets management
- Migration from legacy systems to AWS
- Automation of secret rotation
- Compliance implementation (SOC 2, ISO 27001)
- Team training and best practices
Ready to secure your secrets?
- Email: info@zsoftly.com
- Phone: +1 (343) 503-0513
- Website: zsoftly.com
Next in series: "Building a Secure Cloud Infrastructure: The Essential AWS Security Stack"
