If you build on AWS long enough, you’ll eventually face the same question: Where should we store secrets and configuration? Keeping stuff in a local env file or applications.properties means either those files are going to get checked in, or even worse, casually shared between engineers. And what if your builds are made in a completely different place?
The two usual answers are AWS Secrets Manager and AWS Systems Manager Parameter Store.
They overlap, but they solve different problems. More importantly, they can fit into a natural maturity path as your system grows. This post explains the differences, the real meaning of Parameter Store’s “low throughput,” and how teams often start simple and evolve safely.
The Big Picture Difference
At a high level:
- Secrets Manager is a credential lifecycle service
- Parameter Store is a configuration service that can store secrets
That distinction matters more than most feature checklists.
AWS Secrets Manager: Designed for Credential Hygiene
Secrets Manager exists to solve one core problem: secrets that must change.
What it does well
- Automatic rotation (especially for RDS, Aurora, Redshift)
- Strong auditability and versioning
- First-class integrations with AWS SDKs and services
- KMS encryption by default
Typical use cases
- Database usernames and passwords
- Third-party API tokens
- OAuth client secrets
- Any secret with an expiration policy
Cost reality
You pay per secret and per API call. That’s intentional—you’re paying for automation, rotation, and managed lifecycle guarantees.
Secrets Manager is the right tool when a leaked or stale secret would be a serious incident.
SSM Parameter Store: Configuration First, Secrets Second
Parameter Store is fundamentally about configuration management. Secrets are a supported feature, not the primary mission.
What it does well
- Simple hierarchical naming (
/prod/app/db/host) - Secure storage with
SecureString+ KMS - Extremely low cost (standard parameters are free)
- Deep integration with EC2, ECS, EKS, and Lambda
Typical use cases
- Environment-specific configuration
- Feature flags
- Service endpoints
- Secrets that change rarely
The Growth Path: Start with Parameter Store, Graduate to Secrets Manager
This is the part many teams miss.
It is completely reasonable—and often smart—to start with Parameter Store.
Early-stage systems usually have:
- Few secrets
- Low request volume
- Minimal rotation requirements
- Strong pressure to keep costs down
Parameter Store lets you:
- Centralize configuration
- Encrypt sensitive values
- Keep your architecture simple
As your system matures, signals appear:
- Credentials need regular rotation
- Security reviews demand tighter controls
- More engineers touch infrastructure
- Blast radius becomes a concern
That’s when you promote specific values into Secrets Manager.
You don’t “migrate everything.”
You move credentials, not configuration.
This incremental approach avoids premature complexity while keeping a clean upgrade path.
The Truth About “Lower Throughput” in Parameter Store
You’ll often hear that Parameter Store has “low throughput.” That’s technically true—but often misunderstood.
What the limits actually mean
- Standard parameters: ~40 requests per second per account (shared)
- Advanced parameters: much higher throughput
- Limits are regional, not per application
Now here’s the key point:
Why this usually doesn’t matter
Most well-designed applications:
- Load parameters at startup
- Cache them in memory
- Refresh them infrequently
In that model, Parameter Store is never the bottleneck.
When it does matter
You may hit limits if:
- You fetch parameters on every request
- You have large Lambda fan-out without caching
- You treat Parameter Store like a real-time database
Those are architectural smells, not service failures.
If you need high-frequency secret reads, Secrets Manager—or better caching—is the correct fix.
Head-to-Head Comparison
| Feature | Secrets Manager | Parameter Store |
|---|---|---|
| Primary role | Credential lifecycle | App configuration |
| Encryption | KMS by default | KMS (SecureString) |
| Automatic rotation | ✅ Yes | ❌ No |
| Throughput | High | Lower (standard tier) |
| Cost | Per secret + API calls | Mostly free |
| Best for | Rotating credentials | Static config & light secrets |
A Practical Decision Framework
Ask these questions:
- Does this value need rotation?
→ Secrets Manager - Is this loaded at startup and cached?
→ Parameter Store is fine - Would a leak be catastrophic?
→ Secrets Manager - Is cost a concern at scale?
→ Parameter Store first
Most production systems end up using both, intentionally.
Final Takeaway
The mistake isn’t choosing Parameter Store or Secrets Manager.
The mistake is thinking you must choose one forever.
Start simple.
Use Parameter Store for configuration.
Graduate credentials to Secrets Manager when the risk profile changes.
That’s not cutting corners—that’s engineering maturity.
Leave a Reply
You must be logged in to post a comment.