AWS Secrets Manager vs SSM Parameter Store: When to Use Each
Use SSM Parameter Store for non-sensitive config, cross-stack sharing, and cost-sensitive simple secrets. Use Secrets Manager when you need automatic rotation, cross-region replication, secure IaC support, or managed database credential rotation. Both encrypt with KMS, but Secrets Manager is purpose-built for secret lifecycle management.
Introduction
Whenever I am called to review a project and a secret is required - an API key, database credential, or any sensitive value - someone predictably asks:
Should we use AWS Secrets Manager or SSM Parameter Store (SecureString)?
The answer isn't always straightforward (the dreaded, 'It Depends' answer). This post explains the key differences and when to use each service.
SSM Parameter Store
Parameter Store, a tool in AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management - AWS
SSM Parameter Store lets you store configuration data and secrets as key-value pairs. Each parameter has a hierarchical key path (e.g., /service/env/db-password) that helps organize and scope access using IAM.
Value types: Simple string, SecureString (KMS encrypted), Structured data (JSON)
Standard vs Advanced Tiers
| Feature | Standard (Free) | Advanced (Paid) |
|---|---|---|
| Parameter quota | 10,000 | 100,000 |
| Max value size | 4 KB | 8 KB |
| Versioning & Policies | No | Yes |
Secrets Manager
AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles - AWS
AWS Secrets Manager is purpose-built to manage the full lifecycle of secrets.
Key features:
- Managed rotation - Supports AWS database credentials (RDS, Aurora, Redshift, DocumentDB)
- Unmanaged rotation - Write a Lambda function for custom rotation logic
- Cross-region replication
- Versioning
- IaC support
- Max secret size - 64 KB
Feature Comparison
| Feature | SSM Parameter Store | Secrets Manager |
|---|---|---|
| Cost | Free (Standard) / Low (Advanced) | Higher |
| Max size | 4 KB / 8 KB | 64 KB |
| Encryption | Optional (SecureString) | Always encrypted |
| Automatic rotation | No | Yes |
| Cross-region replication | No | Yes |
| Versioning | Advanced tier only | Yes |
| IaC support | Limited (exposes SecureString) | Secure |
| Managed DB credential rotation | No | Yes |
| Hierarchical organization | Yes | No |
| Configuration data | Yes | Not intended |
Performance differences are insignificant since secrets don't change rapidly. You should fetch and cache values in memory to reduce API calls and boost performance.
When to Use Each
Use SSM Parameter Store When:
- Storing non-sensitive configuration or need free/low-cost parameter storage
- Cross-account or cross-stack sharing of information such as IDs, ARNs, service domains via CDK or CloudFormation
- Storing secrets without requiring rotation or secure IaC support
- You want to avoid the extra cost of Secrets Manager
Defining SecureString values inline in IaC (CDK/CFN) will expose them in templates.
Use Secrets Manager When:
- Storing credentials, tokens, and API keys needing rotation, versioning, or cross-region support
- You need automatically managed rotation for RDS, Aurora, Redshift, or DocumentDB
- You need custom rotation for other use cases via Lambda
- You require secure IaC usage (CDK or CloudFormation)
- A managed secret lifecycle is worth the cost (regulated/enterprise environments)
Quick Reference Summary
| Scenario | Recommendation |
|---|---|
| Non-sensitive config values | SSM Parameter Store |
| Cross-stack/account sharing (IDs, ARNs) | SSM Parameter Store |
| Secrets without rotation needs | SSM Parameter Store (SecureString) |
| Database credentials with rotation | Secrets Manager |
| API keys needing rotation | Secrets Manager |
| Regulated/enterprise environments | Secrets Manager |
| Cost-sensitive, simple secrets | SSM Parameter Store |
Conclusion
Context matters, and your constraints make a difference. Both services have their place:
- SSM Parameter Store excels at hierarchical configuration management with optional encryption, and the free tier makes it ideal for non-sensitive config and cost-conscious teams
- Secrets Manager is the right choice when you need automatic rotation, cross-region replication, or are working in regulated environments where secret lifecycle management is critical
Use the AWS Pricing Calculator to estimate costs before deciding. For many use cases, the cost difference between the two services is minimal compared to the operational benefits of choosing the right tool.