AWS (Secrets Manager vs. Parameter Store)

5 min readAug 17, 2019

In Amazon Web Services (AWS), you can find a variety of services covering almost all infrastructure requirement. Among the most popular services is the AWS Secret Manager, Parameter Store, and the KMS. These three infrastructures have differences and slight similarities, as discussed below.

Pricing

AWS Secret Manager

Secret Manager is a service managed by the Amazon Web Services. According to the amazon, the service cost $0.40 in every secret per month and $0.05in every 10,000 API calls. This means when you store 100 secrets whose password is API Keys, you will be required to pay $40 per month. Additionally, when you request the secret value with calls of 40,000 API monthly, you pay $0.2.

You’re not billed for using the default encryption key that Secrets Manager creates for you. You’re billed for your use of CMKs that you create.

Parameter store

Initially, this service was referred to as parameter store but its significantly changing into a feature known as System Manager. Surprisingly, this service has no cost attached to it. It implies, therefore, the service is offered free of charge.

KMS

The Key Management Service is another service of AWS. It makes it easy for amazon clients to own and monitor keys as well as control encryption use in other AWS services. KMS is more secure and extremely resilient since it uses hardware security modules validated under FIPS 140–2. As a customer, whether you’re using it with a generated key or any critical material that has been imported to you, the cost is $1 monthly. The cost runs until that time you decide to delete it yourself.

Far from pricing, let us deeply look at the technical data differences of the three Amazon Web Services.

The difference in Technical Data

Generation of Passwords

The difference in password generation among the three services are almost the same though a slight variation has been noted. First, AWS Secret Manager, through the help of AWS CLI or the SDK can generate random secret passwords at one single time. For instance, when you want to create RDS instance, with the help of a CloudFormation template, you can as well create randomly itemized passwords and later reference it on RDS configuration. This is possible because it only requires a master username and a password.

Parameter Store has what they call “parameter Store IAM Policy” when password generation is concerned. This policy is usually used to aid access to secrets matching the formats. Parameter Stores natively supports hierarchies, which gives permission service from its directory of secrets.

On the other hand, KMS does not generate passwords but uses its secure hardware modules to create and protect keys. The generated key is more secure can protect any data from authorized access.

Ability to rotate the secret

The next noted technical difference of the three services is the ability to switch secret to increase security. AWS Manager, for instance, offers a full circle of key rotation-integrations with the help of RDS. In other words, it means AWS Secret Manager can rotate keys and as well apply new passwords in RDS. Other services that are above RDS, AWS provides you with a chance to write the rotation logic-custom key using the AWS Lambda function.

Parameter store, on the other hand, only allow encryption of keys already stored with the help of KMS. Parameter store stores both secret and non-secret data, but during rotation, it only encrypts confidential data which ensure it’s not disclosed to non-untheorized access.

KMS is integrated with AWS Encryption SDK, which enables its users to use KMS- protected encryption keys data. This means the chances of secret generation are minimal.

Cross Account Access differences

The distinct difference in terms of technical data is the account access difference. AWS Secret Manager is different from Parameter Store with the fact that secrets can be accessed into another account. For instance, a person with an IAM and application resource under a single document can access the secret stored in another AWS accounts. This case is termed beneficial where two AWS account holders want to share specific secret concerning AWS.

KMS, on the other hand, does not offer chances for account sharing. Its keys are centralized and present a single control point. The control point also ensures it defines policies and consistency of actions across all AWS services.

Security

AWS manages the safety of all credentials stored in the AWS Secret Manager account in collaboration with IAM access. Additionally, for further protection, Secret Manager is in integrated with AWS KMS. KMS helps in encrypting stored data.

Parameter Store has no significantly different from AWS Secret Manager. Its security ties linked to IAM account in AWS service. All requests for data access to the account is made through the API or CLI. Once an application has been made, keys are generated from a console, and secret rotation does not happen except when it is customized.

KMS, on the other hand, has its hardware modules validated thoroughly for security purposes. KMS keys are also used inside the holding device and can’t be left unencrypted. It is also worth to note that KMS keys are not allowed to be shared in any place region outside AWS where they were created.

Similarities of AWS Secret Manager, Parameter Store, and the KMS

Even if there exist some differences, between the three AWS services, we can’t fail to denote some similarities.

Encryption options

All the above services average into the AWS KMS for encryption value. They all use the KMS and the IAM policies to get configured so that they can control the permissions of IAM user and their role decrypting values. Even though sometimes access to the cost is restricted through IAM, encryption process offers additional security to the three services.

Value store similarities

Both AWS Secret, Parameter Store, and the KMS provides a solution into storing values under a key or name. These services can store value-amounts up to 4096 characters and as well allow keys to uptake prefixes. This is essential since in some cases, application deployment sometimes prefer preferencing differing parameters that are based on the deployed environment.

Hashicorp Vault Enterprise

Hashicorp Vault is an AWS service that uses cases such as secret management and data encryption. Secret management within vault enterprise primarily stores, access, and share secrets such as certificates, token, keys of encryption, and passwords. On the other hand, data encryption keeps data application in a secure place with the help of centralized keys and IPS. Vault, therefore, works by controlling access to secret by authenticating against reliable sources such as Kubernetes, cloud platform, Active Directory, Cloud Foundry, and the LDAP.

Conclusion

You now have information about the best service to store your data. When you make your decision, you must choose a vault to store your credentials. In this regard, you should consider taking up Hashicorp Vault Enterprise as its services are reliable and more secure, also integrate with Terraform very well.