The Difference Between AWS System Manager Parameter Store vs AWS Secrets Manager
Managing application security is essential for the enterprises, especially when hosting the applications in public cloud. AWS, the leader in the cloud computing market, provides a range of services to deploy your applications securely in the cloud. All application need to maintain configuration data like application properties, set up data, database connection string, credentials, API keys etc and these configuration data should be stored in a centralised store for ease of management.
Amazon offers two distinct services, the AWS Systems Manager Parameter Store and AWS Secrets Manager services for this purpose. Both allow you to centrally manage and secure your secret data. It is often confusing to select the right service for your needs. In this post, we will explore the differences between AWS Systems Manager Parameter Store and AWS Secrets Manager services and the right use case for them.
What is AWS Systems Manager Parameter Store ?
It is highly scalable, available, and durable Parameter Store, an offering from AWS Systems Manager and allows to store and manage the configuration data as parameter values, which can be plain-text data such as database strings or secrets such as passwords. The stored parameter values can be referenced using the unique name (key) in scripts, commands, SSM documents, automation workflows and also in the following AWS services:
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Elastic Container Service (Amazon ECS)
AWS Secrets Manager
It is integrated with AWS Key Management Service (KMS ) to encrypt and decrypt values stored, AWS Identity and Access Management (IAM) to control user and resource access, Amazon Simple Notification Service (Amazon SNS) and Amazon EventBridge to send automated notification and Amazon CloudWatch and AWS CloudTrail for logging.
What is AWS Secrets Manager ?
AWS Secrets Manager allows to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle with ease. It protects access to your applications and services in the AWS Cloud and on-premises.
In the past, the credentials for accessing database is embedded in the application and if you want to change database credentials for security reason, you have to update hardcoded credentials in all the applications connecting to database to use the new credentials manually, which is time consuming and error prone process.
AWS Secrets Manager makes our life easy by replacing hardcoded credentials in your application with an API call to Secrets Manager to retrieve the secret programmatically. You don’t need to hard code secrets in the code any more. Besides, Secrets Manager can be scheduled to rotate secrets automatically without a risk of impacting any applications. Even, it allows to rotate secrets on demand.
You don’t need to worry about changing database credentials and updating application manually. AWS Secrets Manager enables you to do it automatically. This allow you use short-term secrets and significantly reducing the risk of compromise.
Secrets Manager uses AWS KMS for the encryption of your secret when at rest and AWS Identity and Access Management (IAM) policies to control which users and applications can access these secrets. It integrates with AWS CloudTrail, Amazon CloudWatch and Amazon Simple Notification Services (Amazon SNS) for monitoring and notification.
Secrets Manager supports out of the box rotation for the following Amazon RDS databases with AWS written and tested Lambda rotation function template:
Amazon Aurora on Amazon RDS
MySQL on Amazon RDS
PostgreSQL on Amazon RDS
Oracle on Amazon RDS
MariaDB on Amazon RDS
Microsoft SQL Server on Amazon RDS
Secrets Manager also supports out of the box rotation for the following AWS services with AWS written and tested Lambda rotation function template:
Besides, secrets manager enables to store secrets for almost any other kind of database or service. But, you have to create and configure a custom Lambda function to automatically rotate the secrets.
AWS Systems Manager Parameter Store vs AWS Secrets Manager
Both are designed to store secrets like passwords, API keys etc and they use the exact encryption mechanism at rest.
Let’s see the differences between them.
Secrets Rotation:- AWS secrets manager allows to rotate the secrets automatically on schedule or on demand. You can rotate the secrets of Amazon RDS, Amazon DocumentDB and Amazon Redshift without writing any code and using custom lambda function for other services. AWS Systems Manager Parameter Store doesn’t support secrets rotations.
Cross Account Access:- AWS Secrets Manager allows to attach resource based IAM policies to grant cross account access. AWS Systems Manager Parameter Store doesn’t support resource-based IAM policy and not possible to grant cross account access.
Encryption:- AWS Systems Manager Parameter Store allows to store data in plain text or encrypted. But AWS Secrets Manager allows to store only encrypted data.
Price and Limits:- AWS Systems Manager Parameter Store (Standard type) is free, allows to store up to 10 000 parameters and the maximum content size of the parameter is 4kb whereas AWS Secrets Manager costs $0.40 per secret per month, and data retrieval costs $0.05 per 10,000 API calls, allows to store up to 40 000 parameters and the content maximum size of the parameter is 64kb.
Random Password Generation:- AWS Secrets Manager allows to generate random password and store it at the creation time whereas AWS Systems Manager Parameter Store doesn’t allow to generate random password.
So far ,we explored the AWS Systems Manager Parameter Store and AWS Secrets Manager concepts, function and difference between them.
Let’s see how to choice right service for your use case. AWS System Manager Parameter Store is the best choice to store configuration data including secrets data if there is no requirement for secret rotation.
If there is a requirement for secret rotation and cross account access, then the best choice is AWS secrets manager to store secret. AWS Secrets Manager is integrated with AWS Systems Manager Parameter Store and allows to retrieve a Secrets Manager secret from Parameter Store, the name must begin with the following reserved path: /aws/reference/secretsmanager/<secret_ID>
My recommendation is to use AWS Systems Manager Parameter Store to store configuration data and AWS Secrets Manager to store secret data and implement rotation using custom lambda function if rotation is not supported out of the box and reference the secrets in AWS Systems Manager Parameter Store with the specific path /aws/reference/secretsmanager/<secret_ID>.