Secrets Manager vs Parameter Store – Comparison

AWS Secrets Manager vs Systems Parameter Store

AWS Secrets Manager vs Systems Manager Parameter Store

🆕 Major Updates (2024-2026)

  • Parameter Store Cross-Account Sharing (Feb 2024): Parameter Store now supports cross-account sharing via AWS Resource Access Manager (RAM) for advanced parameters.
  • Secrets Manager – Managed External Secrets (Nov 2025): New secret type enabling automatic rotation for third-party SaaS credentials (Salesforce, MongoDB Atlas, Confluent Cloud, Datadog, Snowflake).
  • Secrets Manager Agent (Jul 2024): Open-source agent providing localhost-based secret caching to reduce API calls and improve availability.
  • Secrets Manager Limit Increase: Maximum secrets per account increased from 40,000 to 500,000 per Region.
  • Secrets Manager – BatchGetSecretValue API (Nov 2023): Retrieve up to 20 secrets in a single API call.
  • Secrets Manager – Cost Allocation Tags (May 2025): Tag secrets and track costs by department, team, or application in AWS Cost Explorer.
  • AWS Workload Credentials Provider (Jun 2026): Unified provider for caching secrets and deploying certificates across AWS and non-AWS workloads.

  • AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources and can easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
  • AWS Systems Manager Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management and can store data such as passwords, database strings, etc.

AWS Secrets Manager vs Systems Parameter Store

Key Differences

  • Storage (Limits keep on upgrading)
    • AWS Systems Manager Parameter Store allows us to store up to
      • Standard tier – 10,000 parameters per Region, each of which can be up to 4KB
      • Advanced tier – 100,000 parameters per Region, each of which can be up to 8KB
    • AWS Secrets Manager supports up to 500,000 secrets per account per Region, each of which can be up to 64KB.
  • Encryption
    • Encryption is optional for Systems Manager Parameter Store (use SecureString parameter type for encryption)
    • Encryption is mandatory for Secrets Manager and you cannot opt out. Secrets are always encrypted at rest using AWS KMS keys.
  • Automated Secret Rotation
    • Systems Manager Parameter Store does not support out-of-the-box secrets rotation.
    • AWS Secrets Manager enables automatic secret rotation on a schedule, supporting native rotation for RDS, Redshift, DocumentDB, and other AWS databases.
    • NEW: Secrets Manager now supports Managed External Secrets for automatic rotation of third-party SaaS credentials (Salesforce, MongoDB Atlas, Confluent Cloud, Datadog, Snowflake) without requiring custom Lambda rotation functions.
  • Cross-account Access
    • UPDATE (Feb 2024): Systems Manager Parameter Store now supports cross-account sharing of advanced parameters via AWS Resource Access Manager (RAM). Shared parameters provide read-only access to consumers. SecureString parameters require sharing the KMS key separately.
    • AWS Secrets Manager supports cross-account access through resource-based IAM policies attached directly to the secret.
  • Multi-Region Replication
    • Systems Manager Parameter Store does not support automatic cross-region replication.
    • AWS Secrets Manager supports automatic multi-region replication, keeping replicas in sync with the primary secret for disaster recovery and low-latency access.
  • Batch Retrieval
    • Systems Manager Parameter Store supports GetParameters to retrieve up to 10 parameters in a single call.
    • AWS Secrets Manager supports BatchGetSecretValue API to retrieve up to 20 secrets in a single call, reducing latency and API call costs.
  • Cost (keeps on changing)
    • Secrets Manager is comparatively costlier than the Systems Manager Parameter Store.
    • AWS Systems Manager Parameter Store:
      • Standard tier: No additional charge (standard throughput)
      • Advanced tier: $0.05 per advanced parameter per month
      • API interactions (advanced or higher throughput): $0.05 per 10,000 API interactions
    • AWS Secrets Manager: $0.40 per secret per month, and $0.05 per 10,000 API calls.
  • Infrastructure (CloudFormation)
    • Parameter Store: SecureString parameters cannot be created via AWS CloudFormation (only String and StringList types are supported).
    • Secrets Manager secrets can be fully managed via CloudFormation including rotation configuration.

New Features (2024-2026)

AWS Secrets Manager – Managed External Secrets

  • Launched November 2025, Managed External Secrets is a new secret type that extends automatic rotation to third-party SaaS credentials.
  • Provides first-class integration with supported partners including Salesforce, MongoDB Atlas, Confluent Cloud, Datadog, and Snowflake.
  • Eliminates the need to write and maintain custom Lambda rotation functions for supported third-party services.
  • Handles the complete secret lifecycle including creation, rotation, and revocation.
  • Reference: AWS Documentation – Managed External Secrets

AWS Secrets Manager Agent

  • Open-source agent (released July 2024) that provides localhost-based secret retrieval and in-memory caching.
  • Runs as a sidecar or daemon, opening a local HTTP endpoint (localhost:2773) for secret retrieval.
  • Reduces API calls to Secrets Manager and improves application availability.
  • Includes SSRF protection, configurable TTL, cache size, and connection limits.
  • NEW (May 2026): Supports pre-fetching secrets at startup and IAM role assumption for cross-account secret retrieval.
  • Reference: AWS Documentation – Secrets Manager Agent

Parameter Store Cross-Account Sharing

  • Announced February 2024, advanced parameters can now be shared across AWS accounts using AWS RAM.
  • Supports sharing with specific accounts, organizational units, or entire AWS Organizations.
  • Consumer accounts receive read-only access (GetParameter, GetParameters, DescribeParameters).
  • SecureString parameters require the KMS key to be shared separately.
  • Cross-account sharing is only available for advanced tier parameters ($0.05/parameter/month).
  • Reference: AWS Documentation – Shared Parameters

AWS Workload Credentials Provider (June 2026)

  • Unified lightweight client-side provider that automates deployment of ACM certificates and caching of Secrets Manager secrets.
  • Works across both AWS and non-AWS workloads.
  • Maintains backwards compatibility with the Secrets Manager Agent.
  • Reference: AWS Announcement

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
    1. Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
    2. Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
    3. Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
    4. Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).
  2. A company needs to share configuration parameters across multiple AWS accounts in an organization. The parameters are non-sensitive and change infrequently. Which solution is the MOST cost-effective?
    1. Store the parameters in AWS Secrets Manager with a resource-based policy for cross-account access.
    2. Store the parameters in AWS Systems Manager Parameter Store as advanced parameters and share them using AWS Resource Access Manager (RAM).
    3. Store the parameters in an Amazon S3 bucket with cross-account access policies.
    4. Store the parameters in AWS Systems Manager Parameter Store as standard parameters and use IAM cross-account roles.
  3. A company uses third-party SaaS applications and needs to manage API credentials for these services. The credentials must be automatically rotated without custom code. Which AWS service and feature should the company use?
    1. AWS Systems Manager Parameter Store with a scheduled Lambda function
    2. AWS Secrets Manager with a custom Lambda rotation function
    3. AWS Secrets Manager with Managed External Secrets
    4. AWS KMS with automatic key rotation
  4. A development team wants to reduce API calls to AWS Secrets Manager from their containerized application while maintaining access to up-to-date secrets. Which approach provides the LEAST operational overhead?
    1. Implement a custom caching layer using Redis
    2. Deploy the AWS Secrets Manager Agent as a sidecar container
    3. Store secrets in environment variables at container startup
    4. Use the AWS Parameters and Secrets Lambda Extension
  5. A solutions architect needs to provide cross-account access to encrypted configuration data stored in AWS Systems Manager Parameter Store. Which combination of steps is required? (Select TWO)
    1. Create the parameter as an advanced parameter and share it using AWS RAM
    2. Create a resource-based policy on the parameter
    3. Share the KMS key used to encrypt the SecureString parameter with the consuming account
    4. Create an IAM role in the consuming account with ssm:GetParameter permission
    5. Store the parameter as a standard parameter and enable cross-account access

References

AWS Secrets Manager

AWS Secrets Manager

AWS Secrets Manager

  • AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.
  • enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
  • secure secrets by encrypting them with encryption keys managed using AWS KMS.
  • offers native secret rotation with built-in integration for RDS, Redshift, and DocumentDB.
  • supports Lambda functions to extend secret rotation to other types of secrets, including API keys and OAuth tokens.
  • supports IAM and resource-based policies for fine-grained access control to secrets and centralized secret rotation audit for resources in the AWS Cloud, third-party services, and on-premises.
  • enables secret replication in multiple AWS regions to support multi-region applications and disaster recovery scenarios.
  • supports private access using VPC Interface endpoints
  • supports dual-stack (IPv4 and IPv6) endpoints for all regions.
  • supports BatchGetSecretValue API to retrieve up to 20 secrets in a single API call, reducing latency and API call costs.
  • supports cost allocation tags to categorize and track secret costs by department, team, or application in AWS Cost Explorer.
  • supports hybrid post-quantum TLS using ML-KEM to protect secrets against future quantum computing threats.

AWS Secrets Manager

Secrets Manager with KMS

  • Encryption
    • encrypts a new version of the protected secret data by requesting AWS KMS to generate a new data key from the KMS key.
    • uses this data key for envelope encryption.
    • stores the encrypted data key with the protected secret data.
  • Decryption
    • requests AWS KMS to decrypt the encrypted data key
    • uses the plain text data key to decrypt the protected secret data.
    • never stores the data key in unencrypted form, and always disposes of the data key immediately after use.

Secrets Manager Rotation

  • AWS Secrets Manager enables database credential rotation on a schedule.
  • Supports rotation as frequently as every four hours, with configurable rotation windows using cron or rate expressions.
  • Rotation can be configured using:
    • Managed rotation – the service configures and manages rotation automatically without Lambda functions (supported for RDS, Aurora, Redshift, DocumentDB).
    • Lambda function rotation – for custom rotation logic using Lambda functions.
    • Managed external secrets rotation – for third-party credentials (e.g., Salesforce, MongoDB Atlas, Confluent Cloud) without Lambda functions.
  • Credentials rotation does not impact the already open connections as they are not re-authenticated. Authentication happens when a connection is established.
  • integrates with CloudWatch Events/EventBridge to send a notification when it rotates a secret.

Rotation Strategies

  • Single user rotation
    • Updates credentials for one user in one secret.
    • The user’s password is changed in both the secret and the database.
    • Recommended when cloned users don’t have the same permissions, or for ad hoc/interactive users.
    • Brief period of potential sign-in failure between rotation and propagation.
  • Alternating users rotation
    • Creates a clone user with identical privileges but different password.
    • Alternates between two users on each rotation.
    • Requires a separate secret with superuser credentials.
    • Provides higher availability as the old version remains valid until next rotation.

Managed External Secrets

  • Introduced in November 2025, managed external secrets extend managed rotation to third-party SaaS credentials.
  • Enables centralized management and automatic rotation of credentials for third-party software providers directly from Secrets Manager.
  • No Lambda functions required – rotation is fully managed by Secrets Manager.
  • Supports standardized formats and multiple rotation strategies per SaaS provider.
  • Supported providers include Salesforce, MongoDB Atlas, and Confluent Cloud (expanding).
  • Eliminates the need for provider-specific custom rotation logic.

Secrets Manager Agent & Workload Credentials Provider

  • Secrets Manager Agent (released July 2024)
    • Language-agnostic local HTTP service that pulls and caches secrets in compute environments.
    • Exposes a localhost endpoint (port 2773) for applications to retrieve secrets from in-memory cache.
    • Reduces API calls and improves application availability.
    • Default cache TTL of 300 seconds (configurable).
    • Open source and supports pre-fetching secrets at startup and IAM role assumption (May 2026).
    • Supports hybrid post-quantum TLS (ML-KEM) by default since version 2.0.
    • Works with EC2, ECS, EKS, Lambda, and on-premises/multi-cloud environments.
  • AWS Workload Credentials Provider (released June 2026)
    • Unified lightweight client-side provider that automates deployment of ACM certificates and caching of Secrets Manager secrets.
    • Maintains full backwards compatibility with Secrets Manager Agent.
    • Works across AWS and non-AWS workloads through a single unified provider.
    • Uses post-quantum ML-KEM key exchange by default.

Secrets Manager Security Features

  • Post-Quantum TLS
    • Supports hybrid post-quantum key exchange using ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) for TLS connections.
    • Combines traditional cryptography (X25519) with post-quantum algorithms to protect against “harvest now, decrypt later” threats.
    • Service-side support launched in 2025; client-side support extended in April 2026.
    • Secrets at rest are already quantum-safe (symmetric encryption via KMS).
  • API Rate Limits (March 2025)
    • GetSecretValue: up to 10,000 requests per second
    • DescribeSecret: up to 40,000 requests per second
  • Managed Policies
    • SecretsManagerReadWrite – full access including redshift-serverless permission (March 2024).
    • AWSSecretsManagerClientReadOnlyAccess – read-only access for client applications, includes BatchGetSecretValue and ListSecrets (November 2025, updated June 2026).

Client-Side Caching

  • Caching libraries available for Java, Python, .NET, Go, and Rust.
  • Improves speed, availability, and reduces costs by minimizing API calls.
  • Default cache refresh interval is one hour (configurable).
  • Does not include cache invalidation – if a secret rotates before TTL expires, stale values may be returned.
  • For containerized workloads, client-side caching allows credential rotation without restarting containers.

Secrets Manager vs Systems Manager Parameter Store

AWS Secrets Manager vs Systems Parameter Store

  • Key Differences:
    • Secrets Manager is designed specifically for secrets with built-in rotation; Parameter Store is a general-purpose configuration store.
    • Secrets Manager supports managed rotation (no Lambda needed for supported databases); Parameter Store requires custom Lambda for rotation.
    • Secrets Manager charges per secret ($0.40/month) and per API call ($0.05/10K calls); Parameter Store Standard tier is free.
    • Secrets Manager supports cross-region replication natively; Parameter Store does not.
    • Secrets Manager supports BatchGetSecretValue; Parameter Store supports GetParameters (up to 10).
  • AWS Recommendation (2025): Use Secrets Manager for secrets, Parameter Store for simple key-value configuration, and AWS AppConfig for feature flags and advanced dynamic configuration.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which AWS service makes it easy for you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle?
    1. AWS WAF
    2. AWS Secrets Manager
    3. AWS Systems Manager
    4. AWS Shield
  2. A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
    1. Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
    2. Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
    3. Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
    4. Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).
  3. A company has multiple applications that retrieve database credentials from AWS Secrets Manager at a high rate, causing throttling. Which approach should the company use to address this issue with MINIMAL code changes?
    1. Increase the Secrets Manager service quota for API calls.
    2. Implement client-side caching using the Secrets Manager caching library or deploy the Secrets Manager Agent for local caching.
    3. Store credentials in Systems Manager Parameter Store instead.
    4. Replicate the secrets to additional regions and distribute read traffic.
  4. A company needs to manage and rotate credentials for multiple third-party SaaS applications (Salesforce, MongoDB Atlas) with the LEAST operational overhead. Which approach should they use?
    1. Write custom Lambda rotation functions for each SaaS provider.
    2. Store credentials in Parameter Store and use EventBridge rules for rotation.
    3. Use AWS Secrets Manager managed external secrets for automated rotation without Lambda functions.
    4. Build a custom rotation service running on ECS.
  5. A company wants to protect its secrets in transit against future quantum computing threats. Which feature of AWS Secrets Manager addresses this requirement?
    1. Use customer-managed KMS keys for encryption at rest.
    2. Enable secret replication across multiple regions.
    3. Use hybrid post-quantum TLS with ML-KEM for Secrets Manager API connections.
    4. Enable automatic secret rotation every 4 hours.
  6. A company runs applications on-premises and in AWS. They need a language-agnostic way to retrieve secrets locally without modifying application code to use the AWS SDK. Which solution provides this capability?
    1. Use AWS Systems Manager Parameter Store with the SSM agent.
    2. Embed secrets in environment variables at deployment time.
    3. Deploy the AWS Secrets Manager Agent (or Workload Credentials Provider) for local HTTP-based secret retrieval with in-memory caching.
    4. Use AWS Lambda to periodically fetch and write secrets to a local file.

References