Let's Talk AWS
AWS Secrets Manager vs SSM Parameter Store
Let's talk capabilities and use cases for AWS Secrets Manager & Parameter Store
By George Turner
Mon Apr 15 2024 · less than 3 min readJoin the Newsletter
Get the latest AWS news, tutorials, and resources delivered straight to your inbox every week.
Overview
AWS Secrets Manager and SSM Parameter Store are both fully managed services provided by AWS for secret and configuration management. Each of these solutions has integrations with a range of other AWS services.
Here are some of the key features and differentiators between these services;
Secrets Manager
It supports automatic secret rotation for other services such as ElastiCache, Amazon DocumentDB, and RDS, which is invaluable for data security. Using the lambda integration, you can also automate secret rotation for your other secrets.
As implied by the services it supports, Secrets Manager is primarily used to store Database credentials. However, it also supports Key/Value and plaintext secrets and is frequently used to secure API keys.
All secrets stored within Secrets Manager are encrypted with either an AWS or Customer-owned KMS key.
When retrieving these secrets within your application, you can integrate using the SSM SDK & CLI or the standard Secrets Manager SDK & CLI.
SSM Parameter Store
On the other hand, Parameter Store is primarily used for configuration management and can store Strings, string lists (comma-delimited strings), and secure strings.
As with Secrets Manager, Secure Strings in Parameter Store are encrypted using AWS or Customer-managed KMS keys.
One aspect of Parameter Store that results in great DX is the folder-style naming structure, which simplifies retrieving all of an application's required parameters. This also streamlines access control within IAM policies by establishing access patterns for specific projects and environments.
Audit
Secrets Manager and SSM Parameter Store report secret and parameter access to CloudTrail as management events, enabling you to detect and respond to security breaches.
Conclusion
These services are a great way of ensuring secure access to your secrets and parameters. Each has its use cases and advantages. Using Secrets Manager for Database Credentials and API Keys and Parameter Store for configuration management ensures a seamless and secure experience.