L13. Secrets Management: Secrets Manager vs Parameter Store
Video generating
Check back soon for the video lesson on Secrets Management: Secrets Manager vs Parameter Store
The exam's favorite decision point: when built-in automatic rotation justifies Secrets Manager's cost, and when Parameter Store's free tier is the right call.
Secrets Manager: Rotation Built In
AWS Secrets Manager exists to solve the problem of credentials that need to change on a schedule without breaking every application that depends on them. It supports automatic rotation through AWS-provided or custom Lambda rotation functions, and ships with native rotation templates for RDS, Redshift, and DocumentDB credentials, so rotating a database password on a 30-day schedule takes configuration, not custom code. Secrets Manager also supports cross-account and cross-region secret replication, which matters for multi-account architectures where a shared credential needs to be available in more than one place without manual copying. Pricing reflects the extra capability: you pay per stored secret plus per API call, which is worth weighing against how many secrets you actually need this level of service for.Parameter Store: Cheap Configuration Storage
Systems Manager Parameter Store stores configuration data and secrets as one of three parameter types: plainString, StringList, or KMS-encrypted SecureString. The Standard tier is free, with limits on parameter count, size, and throughput; the Advanced tier is paid and raises those ceilings, adding larger values, higher throughput, and parameter policies (for example, an expiration date on a parameter). The detail that catches people out on the exam: Parameter Store has no built-in automatic rotation. A SecureString parameter is encrypted at rest, but nothing rotates its value for you; if you want scheduled rotation, you have to build and schedule that logic yourself, typically with a Lambda function and an EventBridge rule you own end to end.
The Decision Rule
| Requirement | Choose |
|---|---|
| Automatic rotation needed | Secrets Manager |
| High-value credential (database password, API key for a critical system) | Secrets Manager |
| General application configuration | Parameter Store |
| Lower-cost secret storage, rotation not required | Parameter Store |
Shared Ground
Both services integrate with IAM for fine-grained access control (you can scope a policy down to a single secret or parameter path) and with CloudTrail for audit logging of every read and write. Neither leaves you without visibility into who accessed what and when; the difference is entirely in rotation capability, pricing model, and the intended use case. Exam tip: If a question includes the word "rotation" anywhere in its requirements, Secrets Manager is almost always the answer. If a question is about generic configuration with no rotation or database-credential angle, and cost is emphasized, Parameter Store Standard tier wins on price alone.
- ✓Secrets Manager has built-in automatic rotation, with ready-made Lambda rotation templates for RDS, Redshift, and DocumentDB credentials
- ✓Parameter Store SecureString parameters are KMS-encrypted, but Parameter Store has no built-in rotation: you must build and schedule your own rotation logic
- ✓Parameter Store Standard tier is free; the Advanced tier is paid and adds higher throughput, larger parameter values, and parameter policies
- ✓Secrets Manager supports cross-account and cross-region secret replication out of the box
- ✓Default exam heuristic: use Secrets Manager for anything needing automatic rotation or high-value credentials like database passwords, use Parameter Store for general configuration and lower-cost secret storage
1. A team needs an RDS database password to rotate automatically every 30 days without any custom code. Which service should they use?
2. What is a key limitation of Systems Manager Parameter Store compared to Secrets Manager?
3. A team needs to store 200 non-sensitive application configuration flags with no rotation requirement, at minimal cost. What is the most appropriate choice?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.