33.3 Secrets Manager vs SSM Parameter Store: Cost and Feature Comparison

Alright, let’s cut through the marketing fluff and get to the brass tacks. You’ve got secrets and configuration data. AWS gives you two main vaults to put them in: Secrets Manager and the SSM Parameter Store. They look similar on the surface—both hold strings you don’t want hardcoded—but the devil, and your bill, is in the details. Choosing the wrong one is like using a diamond-tipped drill to hang a picture frame; it’ll work, but your accountant will weep.

The core difference is right there in the name. Secrets Manager is for secrets: database passwords, API keys, OAuth tokens—the things that will get you fired if they leak. Parameter Store is for parameters: configuration strings, license codes, AMI IDs—operational data that needs to be secure and centralized but isn’t a crown-jewel credential.

The Wallet Punch: Cost Comparison

Let’s start with the bit that will get management’s attention: cost. This is where the choice often gets made for you.

Secrets Manager costs $0.40 per secret per month (as of this writing). It doesn’t matter if you access it once or a million times; you pay for the privilege of it existing. Think of it as a high-security, climate-controlled vault with a monthly leasing fee.

Parameter Store, on the other hand, is practically free for the Standard tier (which we’ll get to). For the Advanced tier, which has some Secrets Manager-like features, it’s $0.05 per parameter per month. That’s an 8x difference. For 100 secrets, that’s $40/month vs. $5/month. The math is brutal and obvious.

But wait! Parameter Store charges $0.05 per 10,000 API calls for the Advanced tier, while Secrets Manager API calls are free. So if you have a parameter being accessed millions of times per month, the cost could theoretically flip. I say “theoretically” because in a decade of doing this, I’ve never seen a parameter accessed so frequently that the API cost outweighed the per-secret cost. It’s almost always cheaper to use Parameter Store. The cost difference is AWS’s not-so-subtle way of telling you, “Use the right tool for the job.”

The Tiered Tango: Standard vs. Advanced Parameters

This is Parameter Store’s secret weapon and biggest point of confusion. It has two tiers:

• Standard: Free. Basic encryption with your own KMS key is supported. No fancy history tracking. Perfect for 90% of your configuration data.
• Advanced: $0.05/parameter/month. Unlocks the ability to do parameter policies (automatic expiration and rotation) and see a full history of changes.

Here’s the kicker: you can mix and match tiers per parameter. This is huge. You can keep your simple configuration data in Standard (free) and only promote the stuff that truly needs automatic rotation to Advanced ($0.05), which is still a fraction of Secrets Manager’s cost.

# Storing a standard-tier parameter (free)
aws ssm put-parameter \
    --name "/my-app/database-connection-string" \
    --value "host=prod-db.example.com;port=5432;" \
    --type "String" \
    --tier "Standard" # This is the default, but be explicit!

# Storing an advanced-tier parameter ($0.05/month)
aws ssm put-parameter \
    --name "/my-app/api-key" \
    --value "supersecretkey" \
    --type "SecureString" \
    --tier "Advanced"

The Rotation Rodeo

This is Secrets Manager’s killer feature. It can automatically rotate secrets using a Lambda function you provide (or a built-in one for RDS, Redshift, and DocumentDB). This is a massive operational win for compliance and security. You set it and forget it.

Parameter Store’s Advanced tier can do rotation, but it’s a bit of a lie. It doesn’t rotate the secret itself. An “Advanced” parameter can have a policy attached that says, “This parameter must be updated every 30 days.” But it’s on you to actually do the updating. It’s like a nagging post-it note on your monitor rather than a robot that does the work for you. Secrets Manager is the robot.

# This is a LAMBDA function for Secrets Manager rotation.
# Parameter Store doesn't have this concept; you'd have to build the entire flow yourself.
import boto3

def lambda_handler(event, context):
    client = boto3.client('secretsmanager')
    secret_arn = event['SecretId']
    token = event['ClientRequestToken']

    # ... complex logic to create a new password on the target database ...
    # ... then update the secret in Secrets Manager ...

    return {"Status": "SUCCESS"}

The Permission Slog

Both services integrate with IAM, but Secrets Manager is more refined for its specific job. A Secrets Manager secret has a single ARN. A Parameter Store parameter has a hierarchical path (/my-app/dev/db/password), which allows for brilliant, path-based IAM policies.

{
  "Effect": "Allow",
  "Action": "ssm:GetParameter",
  "Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/my-app/dev/*"
}

This policy lets someone access any parameter under /my-app/dev/ but not in prod. You can’t do this with Secrets Manager. This is why Parameter Store wins for configuration management hands down.

So, Which One Do I Use?

Here’s my ruthless, trench-forged heuristic:

Use Secrets Manager if:

• The string is a credential (password, API key, token).
• You need automatic rotation (especially for RDS). This is the biggest reason to pay the premium.
• You need to replicate a secret across regions easily (though you can build this yourself with Parameter Store and EventBridge).

Use SSM Parameter Store (Advanced Tier) if:

• It’s a credential that doesn’t need automatic rotation (e.g., a third-party API key where you must manually update their dashboard).
• You just need the audit trail of changes (the history feature).

Use SSM Parameter Store (Standard Tier) for literally everything else:

• Application configuration (database hostnames, feature flags, S3 bucket names).
• License keys.
• Any non-secret string you want to keep secure, versioned, and centralized.

The most common pitfall I see? Teams just default to Secrets Manager for everything “because it’s more secure.” It’s not more secure. They both use KMS. You’re just burning money. Be smart. Use Parameter Store for your configs, and save Secrets Manager for the secrets that truly deserve the concierge treatment.