AWS Exam Mastery: Secrets Manager vs. SSM Parameter Store
Prepping for the Solutions Architect exam, you are likely to come across questions where both AWS Secrets Manager and SSM Parameter Store are listed as options. On the surface, they both store strings and encrypt data. So, how do you choose?
The exam usually hinges on three "Keywords": Rotation, Cost, and Cross-Account.
The Quick-Decision Matrix
Use this logic to eliminate wrong answers in seconds:
| If the question mentions... | The correct answer is likely... |
|---|---|
| "Automatic Rotation" | AWS Secrets Manager |
| "RDS Integration" | AWS Secrets Manager |
| "Cost-effective" / "Free" | SSM Parameter Store |
| "Cross-account access" | AWS Secrets Manager |
| "Non-sensitive config" | SSM Parameter Store |
1. AWS Secrets Manager: The "Heavy Lifter"
Think of Secrets Manager as a managed service for the entire lifecycle of a secret.
- Key Exam Scenario: You need to store an RDS password and rotate it every 30 days without human intervention.
- Why: It has native "out-of-the-box" integration with RDS, Redshift, and DocumentDB. It even handles the Lambda function required to update the database and the secret simultaneously.
- Cross-Account: If the question involves an application in Account A needing a secret stored in Account B, Secrets Manager makes this significantly easier via resource-based policies.
2. SSM Parameter Store: The "Swiss Army Knife"
Parameter Store is a component of AWS Systems Manager (SSM). It’s designed for general configuration management.
- Key Exam Scenario: You have 500 configuration settings (like AMI IDs, URL endpoints, or license keys) and want to keep costs at zero.
- Why: The Standard Tier is free. While it supports
SecureString(encrypted via KMS), it does not offer native rotation logic. - Hierarchical Storage: A great feature for the exam is the ability to use paths (e.g.,
/dev/db/portor/prod/db/port). You can then use IAM policies to grant access to an entire "folder" of settings.
Exam "Gotchas" to Watch For
The "SecureString" Confusion
Both services use AWS KMS for encryption. If a question asks how to encrypt a secret in Parameter Store, the answer is always SecureString. Do not be fooled into thinking only Secrets Manager is encrypted.
The Cost Factor
If a question emphasizes minimizing operational overhead and costs for storing thousands of non-rotating secrets, SSM Parameter Store is the winner. Secrets Manager costs $0.40 per secret/month, which adds up quickly at scale.
The Limits
- Parameter Store (Standard): 4 KB limit per parameter.
- Secrets Manager: 64 KB limit. If a question mentions a large metadata payload attached to a secret, Secrets Manager is the only choice.
Final "Cheat Sheet" for the Test
- Rotation required? → Secrets Manager.
- RDS/Redshift? → Secrets Manager.
- Simple config/Free? → SSM Parameter Store.
- SecureString? → Both can do it, but Parameter Store is the usual context for this term.
Practice Question
Scenario: A company needs to store API keys for a third-party service. These keys must be encrypted and must be accessible by applications running in three different AWS accounts. What is the most efficient solution?
- A) SSM Parameter Store (Standard)
- B) AWS Secrets Manager
- C) Store them in an S3 bucket with versioning
- D) Hardcode them in an Environment Variable
Answer: B. Why? Because Secrets Manager supports native cross-account access via resource-based policies, whereas SSM Parameter Store is primarily account-specific.