This chapter provides a comprehensive comparison of AWS Secrets Manager and AWS Systems Manager Parameter Store, two services for managing secrets and configuration data. The SAA-C03 exam frequently tests your ability to choose between these services based on requirements like automatic rotation, cost, encryption, and integration with other AWS services. Approximately 5-10% of Secure Architecture questions involve this decision. By the end of this chapter, you will understand the exact mechanisms, use cases, and exam traps for each service.
Jump to a section
Imagine an office building with two systems for managing keys and sensitive documents. AWS Systems Manager Parameter Store is like a central key cabinet in the break room. Employees (applications) can walk up, open the cabinet (via API calls), and grab any key they need—a Wi-Fi password, a shared mailbox code, etc. The cabinet has a simple logbook (versioning) and some basic access rules (IAM policies). But anyone with the break room code can see all the keys; there's no rotation, no automatic locking, and no encryption at rest by default. In contrast, AWS Secrets Manager is like a high-security vault in a locked office. Each secret (e.g., a database password, an API key) is stored in its own encrypted envelope with a unique access policy. The vault automatically rotates secrets on a schedule, like a security guard swapping out the lock cylinders every 30 days. When an application requests a secret, the vault logs the request, checks the employee's badge (IAM), and returns the secret only if authorized. If a secret is compromised, the vault can rotate it immediately without manual intervention. The vault also integrates with the building's security cameras (CloudTrail) and alarms (Amazon EventBridge). Parameter Store is free and fast for non-sensitive configuration, but for secrets that need rotation, fine-grained access control, and encryption, you must use Secrets Manager.
What They Are and Why They Exist
AWS Secrets Manager and AWS Systems Manager Parameter Store are both services for storing sensitive information such as database passwords, API keys, and configuration strings. However, they serve different primary purposes. Secrets Manager is designed specifically for managing secrets that require automatic rotation, fine-grained access control, and encryption at rest by default. Parameter Store, part of AWS Systems Manager, is a hierarchical store for configuration data, secrets, and parameters. It offers a free tier, but lacks automatic rotation and has limited encryption options unless you use the Advanced tier.
How They Work Internally
Secrets Manager stores each secret as a JSON object with a name, description, encryption key (either the default aws/secretsmanager KMS key or a custom KMS key), and the secret value. When you create a secret, you can optionally configure automatic rotation using a Lambda function. The service stores the secret encrypted, and when you retrieve it via the GetSecretValue API, it decrypts the secret in memory and returns the plaintext. Secrets Manager integrates with CloudTrail to log all API calls, including retrieval, creation, and rotation. It also supports resource-based policies and IAM policies for access control.
Parameter Store stores parameters as key-value pairs in a hierarchy (e.g., /myapp/database/password). Parameters can be plaintext or encrypted (using KMS). The Standard tier is free and allows up to 10,000 parameters per account, with a maximum parameter size of 4 KB. The Advanced tier costs $0.05 per parameter per month and supports up to 100,000 parameters, with a maximum size of 8 KB. Parameter Store does not have built-in rotation; you must implement your own solution using Lambda and EventBridge.
Key Components, Values, Defaults, and Timers
Secrets Manager:
- Maximum secret size: 64 KB (including the JSON structure)
- Rotation schedule: Configurable, default is 30 days
- Encryption: Always encrypted at rest using KMS; default key is aws/secretsmanager
- Access control: IAM policies and resource-based policies
- Pricing: $0.40 per secret per month, plus $0.05 per 10,000 API calls
- Automatic rotation: Requires a Lambda function; you can use provided templates for RDS, Redshift, DocumentDB, etc.
- Versioning: Secrets Manager automatically versions secrets during rotation, with staging labels like AWSCURRENT, AWSPREVIOUS, AWSPENDING
Parameter Store: - Standard tier: Free; up to 10,000 parameters; max size 4 KB; no policies; no automatic rotation - Advanced tier: $0.05 per parameter per month; up to 100,000 parameters; max size 8 KB; supports parameter policies (e.g., expiration, notification) - Encryption: Optional; uses KMS if specified; otherwise plaintext - Access control: IAM policies only (no resource-based policies) - Versioning: Every parameter update increments the version number; you can reference specific versions - TTL: You can set an expiration date for advanced parameters using policies
Configuration and Verification Commands
Secrets Manager CLI example:
aws secretsmanager create-secret --name MySecret --secret-string '{"username":"admin","password":"P@ssw0rd"}'
aws secretsmanager get-secret-value --secret-id MySecret
aws secretsmanager rotate-secret --secret-id MySecret --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:MyRotationLambdaParameter Store CLI example:
aws ssm put-parameter --name /myapp/db/password --value 'P@ssw0rd' --type SecureString --key-id alias/aws/ssm
aws ssm get-parameter --name /myapp/db/password --with-decryption
aws ssm describe-parametersInteraction with Related Technologies
Both services integrate with AWS Lambda, Amazon ECS, Amazon RDS, and CloudFormation. For example, CloudFormation Dynamic References allow you to reference Secrets Manager secrets or Parameter Store parameters directly in templates. Secrets Manager has deeper integration with RDS for automatic password rotation. Parameter Store integrates with Systems Manager Run Command and State Manager for configuration management. Both services work with IAM for access control, but Secrets Manager also supports resource-based policies for cross-account access.
Exam-Relevant Details
Secrets Manager automatically rotates secrets using a Lambda function; Parameter Store does not.
Secrets Manager encrypts secrets at rest by default; Parameter Store requires you to choose SecureString type and specify a KMS key.
Parameter Store has a free tier; Secrets Manager costs $0.40 per secret per month.
Parameter Store supports hierarchical naming; Secrets Manager has a flat namespace.
Secrets Manager can generate random passwords; Parameter Store cannot.
Secrets Manager integrates with CloudFormation Dynamic References for secrets; Parameter Store does the same for parameters.
Both services support versioning, but Secrets Manager uses staging labels like AWSCURRENT.
Create a Secrets Manager Secret
Navigate to the Secrets Manager console or use CLI. You specify a name (e.g., `prod/db/password`), optionally a description, and the secret value (plaintext or JSON). You select the encryption key: either the default `aws/secretsmanager` KMS key or a custom key. If you want automatic rotation, you configure a rotation schedule (e.g., every 30 days) and provide a Lambda function ARN. The service stores the secret encrypted and returns an ARN. CloudTrail logs the `CreateSecret` event.
Store a Parameter in Parameter Store
In the Systems Manager console or CLI, create a parameter with a name (e.g., `/myapp/db/password`), type (`String`, `StringList`, or `SecureString`), and value. For `SecureString`, you must specify a KMS key (default `aws/ssm`). You can assign a tier (Standard or Advanced) and optionally a data type (`text` or `aws:ec2:image`). The parameter is stored in the hierarchy. CloudTrail logs `PutParameter`.
Retrieve a Secret from Secrets Manager
An application calls `GetSecretValue` with the secret ID (ARN or name). Secrets Manager checks IAM permissions and resource-based policies. If authorized, it decrypts the secret using KMS and returns the plaintext. The service logs the retrieval in CloudTrail. If rotation is in progress, the response may include the current or previous version based on staging labels.
Retrieve a Parameter from Parameter Store
An application calls `GetParameter` or `GetParametersByPath` with the parameter name. For `SecureString` parameters, you must include `--with-decryption` to decrypt using KMS. IAM policies are checked. The service returns the value and version number. CloudTrail logs the call. If the parameter has an expiration policy, the service may return an error if expired.
Rotate a Secret in Secrets Manager
Secrets Manager invokes the attached Lambda function on the configured schedule (e.g., every 30 days). The Lambda function creates a new version of the secret with staging label `AWSPENDING`, updates the credential in the target service (e.g., RDS), tests the new credential, and then moves the staging label to `AWSCURRENT`. The old version becomes `AWSPREVIOUS`. CloudTrail logs all rotation steps.
Enterprise Scenario 1: Database Credential Rotation
A financial services company runs hundreds of RDS instances. They use Secrets Manager to store database master passwords. Each secret is configured with automatic rotation every 30 days using the built-in RDS rotation Lambda template. The IAM roles for EC2 instances and Lambda functions are granted permission to read only their specific secrets via resource-based policies. When a database password rotates, the application retrieves the latest secret using the AWSCURRENT staging label. The company saves hundreds of hours of manual password changes and meets compliance requirements. A common misconfiguration is not updating the Lambda function's IAM role to allow it to modify the RDS password, causing rotation failures.
Enterprise Scenario 2: Application Configuration Management
A SaaS startup uses Parameter Store to manage configuration parameters for thousands of microservices. They use the Advanced tier for parameters that are larger than 4 KB, such as SSL certificates. They set expiration policies to notify teams when certificates are about to expire. They use hierarchical naming like /app/prod/db/url and /app/dev/db/url to separate environments. The startup saves costs by using the free Standard tier for non-sensitive parameters. A common issue is accidentally exposing plaintext parameters in CloudTrail logs when retrieving them without decryption.
Enterprise Scenario 3: Cross-Account Secret Sharing
A large enterprise uses a centralized security account to store secrets for all business units. They use Secrets Manager with resource-based policies that allow cross-account access. For example, the secret arn:aws:secretsmanager:us-east-1:111111111111:secret:shared/db-password has a policy that grants GetSecretValue to account 222222222222. The consuming account's IAM role does not need any KMS permissions; the resource-based policy handles decryption. This avoids the complexity of sharing KMS keys. A common trap is forgetting to attach a resource-based policy, causing access denied errors.
What the SAA-C03 Tests
The exam tests your ability to choose between Secrets Manager and Parameter Store based on specific requirements. Key objective codes: SEC 1.2 (Secure Access to AWS Resources). Typical scenario: You need to store database passwords that must be rotated automatically. The correct answer is Secrets Manager. If the requirement is to store configuration data that does not need rotation and you want to minimize cost, Parameter Store (Standard tier) is correct.
Common Wrong Answers
Choosing Parameter Store for automatic rotation – Candidates see 'store secrets' and think either service works. But Parameter Store does not have built-in rotation. The exam explicitly tests this.
Choosing Secrets Manager for all secrets – Candidates ignore cost. Secrets Manager costs $0.40/secret/month; for hundreds of parameters, Parameter Store is cheaper.
Using Parameter Store for cross-account secrets – Parameter Store does not support resource-based policies. To share parameters cross-account, you must use KMS key sharing, which is more complex. Secrets Manager supports resource-based policies directly.
Forgetting encryption at rest – Parameter Store parameters are plaintext by default; you must choose SecureString type. The exam may present a scenario where encryption is required, and the candidate selects Parameter Store without encryption.
Specific Numbers and Terms
Secrets Manager: $0.40/secret/month, $0.05 per 10,000 API calls
Parameter Store Standard: free, 10,000 parameters, 4 KB max
Parameter Store Advanced: $0.05/parameter/month, 100,000 parameters, 8 KB max
Rotation schedule: default 30 days
Staging labels: AWSCURRENT, AWSPREVIOUS, AWSPENDING
Parameter Store types: String, StringList, SecureString
Edge Cases
If you need to store a secret larger than 64 KB, you must split it across multiple secrets or use Parameter Store Advanced (8 KB) – but 64 KB is the Secrets Manager limit.
If you need to store a binary secret (e.g., a certificate), you can store it as a base64-encoded string in either service.
Parameter Store supports aws:ec2:image data type for AMI IDs, which Secrets Manager does not.
Secrets Manager can generate a random password using the GenerateRandomPassword API; Parameter Store cannot.
How to Eliminate Wrong Answers
If the question mentions 'rotation' or 'automatically change password', eliminate Parameter Store.
If the question mentions 'cost-effective' or 'free tier', consider Parameter Store Standard.
If the question mentions 'cross-account access', prefer Secrets Manager with resource-based policies.
If the question mentions 'hierarchical configuration', Parameter Store is the natural fit.
Secrets Manager automatically rotates secrets; Parameter Store does not.
Secrets Manager encrypts secrets at rest by default; Parameter Store requires SecureString type.
Parameter Store Standard tier is free with 10,000 parameter limit; Secrets Manager costs $0.40/secret/month.
Secrets Manager supports resource-based policies for cross-account access; Parameter Store does not.
Secrets Manager can generate random passwords; Parameter Store cannot.
Parameter Store supports hierarchical naming and data types like aws:ec2:image.
Both services integrate with CloudFormation Dynamic References.
Secrets Manager uses staging labels (AWSCURRENT, AWSPREVIOUS, AWSPENDING) for versioning during rotation.
These come up on the exam all the time. Here's how to tell them apart.
Secrets Manager
Built-in automatic rotation via Lambda
Encryption at rest by default using KMS
Resource-based policies for cross-account access
Cost: $0.40/secret/month + API call fees
Maximum secret size: 64 KB
Parameter Store
No built-in rotation; must implement custom solution
Encryption optional; use SecureString type with KMS
No resource-based policies; cross-account requires KMS sharing
Standard tier free; Advanced tier $0.05/parameter/month
Maximum parameter size: 4 KB (Standard), 8 KB (Advanced)
Mistake
Parameter Store can automatically rotate secrets like Secrets Manager.
Correct
Parameter Store does not have built-in rotation. You must build a custom solution using Lambda and EventBridge to rotate secrets stored in Parameter Store. Secrets Manager provides native rotation with Lambda templates.
Mistake
Secrets Manager is always more secure because it encrypts secrets at rest by default.
Correct
Parameter Store also supports encryption at rest by using the `SecureString` type with a KMS key. Both services can be equally secure if configured correctly. The key difference is rotation and access control features.
Mistake
Parameter Store is free, so it should be used for all secrets.
Correct
While the Standard tier is free, it has limitations: 10,000 parameters, 4 KB max size, no policies, no rotation. For secrets that require rotation, you must use Secrets Manager. For non-sensitive configuration, Parameter Store is cost-effective.
Mistake
Both services support resource-based policies for cross-account access.
Correct
Secrets Manager supports resource-based policies that allow cross-account access directly. Parameter Store does not support resource-based policies; cross-account access requires sharing the KMS key and using IAM roles.
Mistake
Secrets Manager cannot be used with CloudFormation.
Correct
Secrets Manager integrates with CloudFormation via Dynamic References. You can reference a secret value in a template using the syntax `{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}`.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use Secrets Manager when you need automatic rotation of secrets (e.g., database passwords, API keys). It also provides encryption at rest by default, resource-based policies for cross-account access, and can generate random passwords. Use Parameter Store for configuration data that does not require rotation, especially if you want to minimize cost (Standard tier is free).
Yes, by using the `SecureString` type and specifying a KMS key. If you do not specify a key, the default `aws/ssm` KMS key is used. Without `SecureString`, the parameter is stored as plaintext. Secrets Manager always encrypts secrets at rest.
Parameter Store does not have built-in rotation. You must create a custom solution using AWS Lambda and Amazon EventBridge (or CloudWatch Events) to periodically update the parameter value. This is more complex than Secrets Manager's native rotation.
Yes, but it is more complex. Since Parameter Store does not support resource-based policies, you must use a cross-account KMS key. The consuming account's IAM role must have permission to use the KMS key and read the parameter. Secrets Manager supports resource-based policies for simpler cross-account access.
64 KB. The maximum size includes the JSON structure of the secret. If you need to store larger data, consider splitting it into multiple secrets or using Parameter Store Advanced (8 KB) or S3.
Yes, during rotation, Secrets Manager creates new versions with staging labels: `AWSCURRENT`, `AWSPREVIOUS`, and `AWSPENDING`. You can retrieve specific versions. Parameter Store also versions parameters, incrementing a version number each update.
Yes, both support Dynamic References. For Secrets Manager: `{{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}`. For Parameter Store: `{{resolve:ssm:parameter-name:version}}`. This allows you to inject secrets into CloudFormation templates without hardcoding.
You've just covered Secrets Manager vs Parameter Store — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?