SSM Parameter Store vs Secrets Manager

Similarities

  • Both of these services offer a solution to store values under a name or key.

  • Similar to S3, both SSM Parameter Store and Secrets Manager allow you to prefix parameter names.

  • SSM Parameter provides an option to store values in plaintext or encrypt it with a KMS key.

    • Whereas, Secrets Manager only stores encrypted data.

  • Values from both services are referenceable in CloudFormation templates allowing you to not hard code secrets or other dynamic values.

Differences

  • Secrets Manager is able to generate random secrets (like passwords).

  • Another feature unique to Secrets Manger is the ability to rotate the secret value.

    • Out of the box, Secrets Manager provides full key rotation integration with RDS.

      • Secrets Manager can rotate keys and actually apply the new key/password in RDS for you.

    • For services other than RDS, AWS allows you to write custom key rotation logic using an AWS Lambda function.

  • There are no additional charges for using SSM Parameter Store.

    • On the other hand, Secrets Manager does incur additional costs.

  • Secrets Manager can share secrets across accounts AWS accounts by attaching resource-based policies.

PreviousCloudWatch Events + ConfigNextWorking with on-premises instances for CodeDeploy

Last updated