AWS Secrets Manager vs Systems Manager Parameter Store

• AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources and can easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
• AWS Systems Manager Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management and can store data such as passwords, database strings, etc.

Key Differences

• Storage (Limits keep on upgrading)
  • AWS Systems Manager Parameter Store allows us to store up to
    • Standard tier – 10,000 parameters per Region, each of which can be up to 4KB
    • Advanced tier – 100,000 parameters per Region, each of which can be up to 8KB
  • AWS Secrets Manager supports up to 500,000 secrets per account per Region, each of which can be up to 64KB.
• Encryption
  • Encryption is optional for Systems Manager Parameter Store (use SecureString parameter type for encryption)
  • Encryption is mandatory for Secrets Manager and you cannot opt out. Secrets are always encrypted at rest using AWS KMS keys.
• Automated Secret Rotation
  • Systems Manager Parameter Store does not support out-of-the-box secrets rotation.
  • AWS Secrets Manager enables automatic secret rotation on a schedule, supporting native rotation for RDS, Redshift, DocumentDB, and other AWS databases.
  • NEW: Secrets Manager now supports Managed External Secrets for automatic rotation of third-party SaaS credentials (Salesforce, MongoDB Atlas, Confluent Cloud, Datadog, Snowflake) without requiring custom Lambda rotation functions.
• Cross-account Access
  • UPDATE (Feb 2024): Systems Manager Parameter Store now supports cross-account sharing of advanced parameters via AWS Resource Access Manager (RAM). Shared parameters provide read-only access to consumers. SecureString parameters require sharing the KMS key separately.
  • AWS Secrets Manager supports cross-account access through resource-based IAM policies attached directly to the secret.
• Multi-Region Replication
  • Systems Manager Parameter Store does not support automatic cross-region replication.
  • AWS Secrets Manager supports automatic multi-region replication, keeping replicas in sync with the primary secret for disaster recovery and low-latency access.
• Batch Retrieval
  • Systems Manager Parameter Store supports GetParameters to retrieve up to 10 parameters in a single call.
  • AWS Secrets Manager supports BatchGetSecretValue API to retrieve up to 20 secrets in a single call, reducing latency and API call costs.
• Cost (keeps on changing)
  • Secrets Manager is comparatively costlier than the Systems Manager Parameter Store.
  • AWS Systems Manager Parameter Store:
    • Standard tier: No additional charge (standard throughput)
    • Advanced tier: $0.05 per advanced parameter per month
    • API interactions (advanced or higher throughput): $0.05 per 10,000 API interactions
  • AWS Secrets Manager: $0.40 per secret per month, and $0.05 per 10,000 API calls.
• Infrastructure (CloudFormation)
  • Parameter Store: SecureString parameters cannot be created via AWS CloudFormation (only String and StringList types are supported).
  • Secrets Manager secrets can be fully managed via CloudFormation including rotation configuration.

New Features (2024-2026)

AWS Secrets Manager – Managed External Secrets

• Launched November 2025, Managed External Secrets is a new secret type that extends automatic rotation to third-party SaaS credentials.
• Provides first-class integration with supported partners including Salesforce, MongoDB Atlas, Confluent Cloud, Datadog, and Snowflake.
• Eliminates the need to write and maintain custom Lambda rotation functions for supported third-party services.
• Handles the complete secret lifecycle including creation, rotation, and revocation.
• Reference: AWS Documentation – Managed External Secrets

AWS Secrets Manager Agent

• Open-source agent (released July 2024) that provides localhost-based secret retrieval and in-memory caching.
• Runs as a sidecar or daemon, opening a local HTTP endpoint (localhost:2773) for secret retrieval.
• Reduces API calls to Secrets Manager and improves application availability.
• Includes SSRF protection, configurable TTL, cache size, and connection limits.
• NEW (May 2026): Supports pre-fetching secrets at startup and IAM role assumption for cross-account secret retrieval.
• Reference: AWS Documentation – Secrets Manager Agent

Parameter Store Cross-Account Sharing

• Announced February 2024, advanced parameters can now be shared across AWS accounts using AWS RAM.
• Supports sharing with specific accounts, organizational units, or entire AWS Organizations.
• Consumer accounts receive read-only access (GetParameter, GetParameters, DescribeParameters).
• SecureString parameters require the KMS key to be shared separately.
• Cross-account sharing is only available for advanced tier parameters ($0.05/parameter/month).
• Reference: AWS Documentation – Shared Parameters

AWS Workload Credentials Provider (June 2026)

• Unified lightweight client-side provider that automates deployment of ACM certificates and caching of Secrets Manager secrets.
• Works across both AWS and non-AWS workloads.
• Maintains backwards compatibility with the Secrets Manager Agent.
• Reference: AWS Announcement

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
   1. Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
   2. Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
   3. Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
   4. Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).
2. A company needs to share configuration parameters across multiple AWS accounts in an organization. The parameters are non-sensitive and change infrequently. Which solution is the MOST cost-effective?
   1. Store the parameters in AWS Secrets Manager with a resource-based policy for cross-account access.
   2. Store the parameters in AWS Systems Manager Parameter Store as advanced parameters and share them using AWS Resource Access Manager (RAM).
   3. Store the parameters in an Amazon S3 bucket with cross-account access policies.
   4. Store the parameters in AWS Systems Manager Parameter Store as standard parameters and use IAM cross-account roles.
3. A company uses third-party SaaS applications and needs to manage API credentials for these services. The credentials must be automatically rotated without custom code. Which AWS service and feature should the company use?
   1. AWS Systems Manager Parameter Store with a scheduled Lambda function
   2. AWS Secrets Manager with a custom Lambda rotation function
   3. AWS Secrets Manager with Managed External Secrets
   4. AWS KMS with automatic key rotation
4. A development team wants to reduce API calls to AWS Secrets Manager from their containerized application while maintaining access to up-to-date secrets. Which approach provides the LEAST operational overhead?
   1. Implement a custom caching layer using Redis
   2. Deploy the AWS Secrets Manager Agent as a sidecar container
   3. Store secrets in environment variables at container startup
   4. Use the AWS Parameters and Secrets Lambda Extension
5. A solutions architect needs to provide cross-account access to encrypted configuration data stored in AWS Systems Manager Parameter Store. Which combination of steps is required? (Select TWO)
   1. Create the parameter as an advanced parameter and share it using AWS RAM
   2. Create a resource-based policy on the parameter
   3. Share the KMS key used to encrypt the SecureString parameter with the consuming account
   4. Create an IAM role in the consuming account with ssm:GetParameter permission
   5. Store the parameter as a standard parameter and enable cross-account access

References

• AWS Secrets Manager
• AWS Secrets Manager Features
• AWS Secrets Manager Pricing
• AWS Systems Manager Parameter Store
• AWS Systems Manager Pricing
• Parameter Store Cross-Account Sharing
• Secrets Manager Managed External Secrets
• AWS Secrets Manager Agent