Managing Application Configuration Data in AWS



AWS provides two options for centrally storing and managing application configuration data.

Secrets Manager:

It was created primarily for encrypting private information (such database credentials and API keys), therefore encryption is enabled by default when creating a secret entry. It also has other features, such as key rotation.

Parameter Store:

The Systems Manager Parameter Store was designed to manage a wider range of data like passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values and other application configuration variables.


CloudFormation Integration:

Because CloudFormation is an Infrastructure as a Code paradigm, putting secrets in it is a terrible security practice. You may store secrets (such as database credentials) in Parameter Store or Secrets Manager, which can then be accessed in a CloudFormation template so that you just have a pointer to the value rather than storing it in plaintext.


AWS KMS may be used to encrypt values in both Secrets Manager and Parameter Store. IAM policies may be established to govern which IAM users and roles have authority to decrypt the value by utilising KMS. Though IAM can restrict access to the values, encryption adds an extra degree of protection and is sometimes necessary for compliance.


Secret values can be versioned in both services. This allows you to go back and look at past versions of your secret settings if you require them. You have the option of reverting to the previous version of the parameter. At any one moment, only one version of the parameter can be active in Parameter Store, when utilising the staging labels to execute a secret rotation, Secrets Manager allows numerous versions to exist at the same time.

Key/value Store:

In both services, you may save values under a name or a key. Both support prefixes on the keys, parameters or secrets, for example, can be kept in the schema "app/environment/name" or any other combination of prefixes that the application demands. This is advantageous because, depending on the deployment environment, the application can refer to different parameters/secrets.


Password Generation:

There are a couple of distinctions between the two. The first distinction is that AWS Secrets Manager uses the AWS CLI or SDK to generate random secrets. Because RDS requires a master username and password, you may generate a random password and use it in the RDS settings when using a CloudFormation template to build a new RDS instance. Only Database Admins using CloudFormation may access the login and password, which can be preserved in an AWS Secrets Manager secret.

Password creation is important in apps as well as CloudFormation templates. Random strings can only be found in AWS Secrets Manager; they are not in SSM Parameter Store.


Secrets Manager:It's a paid service. The cost of storing is $0.40 per secret per month, and the cost of API interactions is $0.05 every 10,000 API requests.

Parameters Store: There is no additional price for storage or normal throughput when using standard parameters. API interactions cost $0.05 per 10,000 API requests for increased throughput. The cost of storing advanced parameters is $0.05 per advanced parameter per month, while the cost of API interactions is $0.05 every 10,000 API requests.

Secrets Rotation:

Secrets Manager: It allows you to switch secrets at any moment and can be set to rotate on a regular basis, depending on your needs. It supports complete key rotation with a few AWS services, including RDS, Redshift, and DocumentDB. You may use an AWS Lambda function to implement custom key rotation logic for other services.

Parameter Store: You may change credentials handled by Parameter Store by writing your own function and calling it via a CloudWatch scheduled event or EventBridge.

Cross-account Access:

Secrets Manager: Secrets are accessible with another AWS account. It's a lot easier to share secret across accounts. This is advantageous if secrets are maintained centrally from another AWS account or if a client wishes to share a specific secret with a partner.

Parameter Store:Cross-account access is not supported in Parameter Store.

Secret Size:

Size is also important factor for selecting which one to use, Secrets Manager can store up to 10KB secret size. Parameter Store can store up to 4KB for each entry and Advance parameter can store up to 8KB

Multi Region Replication

Secrets Manager: It allows you to effortlessly duplicate your secrets across several AWS Regions to enable distributed applications and disaster recovery situations.

Parameter Store: It doesn’t support cross region replication.

Final Thoughts:

Both services are extremely beneficial to the AWS ecosystem, allowing for more efficient solutions and application deployment on AWS. Let us know if you have any queries about these or any AWS services. We'd love to talk with you about how Classmethod can assist your company with their AWS cloud migration. Click here to contact us and find out more about our services.