Secrets Manager vs SSM Parameter Store
Exam hook: These two services overlap โ the exam will ask you to choose the right one for a given scenario.
Side-by-Side Comparisonโ
| Feature | Secrets Manager | SSM Parameter Store |
|---|---|---|
| Primary use | Application secrets (DB passwords, API keys) | Configuration & secrets |
| Automatic Rotation | โ Native (RDS, Redshift, DocumentDB, custom Lambda) | โ Manual (use custom Lambda) |
| Cost | $0.40/secret/month + API calls | Free (Standard), $0.05/advanced/month |
| Max value size | 64KB | 4KB (Standard), 8KB (Advanced) |
| Cross-account | โ Resource policy | Limited |
| Versioning | โ (AWSCURRENT, AWSPREVIOUS, AWSPENDING) | โ (by version number/label) |
| Encryption | KMS (required) | SSE with KMS (optional for SecureString) |
| AWS SDK | Separate Secrets Manager SDK calls | SSM SDK calls |
Secrets Manager โ Deep Diveโ
Secret Rotationโ
Application reads secret โ AWSCURRENT version
Rotation triggers Lambda:
1. CreateSecret โ generate new credentials (AWSPENDING)
2. SetSecret โ update credentials in the database
3. TestSecret โ verify new credentials work
4. FinishSecret โ promote AWSPENDING โ AWSCURRENT
demote old AWSCURRENT โ AWSPREVIOUS
Java โ Reading a Secretโ
SecretsManagerClient client = SecretsManagerClient.create();
GetSecretValueResponse response = client.getSecretValue(
GetSecretValueRequest.builder()
.secretId("prod/myapp/db-password")
.build());
String secretString = response.secretString();
// Or parse as JSON for structured secrets
var dbConfig = objectMapper.readValue(secretString, DbConfig.class);
Caching (Important for Lambda!)โ
// Use the caching client to avoid calling Secrets Manager on every invocation
// Add: software.amazon.awssdk.secretsmanager:aws-secretsmanager-caching-java
SecretsManagerCachingClient cachingClient = new SecretsManagerCachingClient(
SecretsManagerClient.create(),
SecretCacheConfiguration.builder()
.maxCacheSize(1000)
.build());
String secret = cachingClient.getSecretString("prod/myapp/db-password");
SSM Parameter Store โ Deep Diveโ
Parameter Typesโ
| Type | Description |
|---|---|
String | Plain text, no encryption |
StringList | Comma-separated list |
SecureString | Encrypted with KMS |
Parameter Tiersโ
| Tier | Max size | Advanced features | Cost |
|---|---|---|---|
| Standard | 4KB | No | Free |
| Advanced | 8KB | Parameter policies, larger | $0.05/month |
Java โ Reading Parametersโ
SsmClient ssm = SsmClient.create();
// Read single parameter
GetParameterResponse response = ssm.getParameter(
GetParameterRequest.builder()
.name("/prod/myapp/db-url")
.withDecryption(true) // Decrypt SecureString
.build());
String dbUrl = response.parameter().value();
// Read multiple parameters at once (efficient for config loading at startup)
GetParametersByPathResponse allParams = ssm.getParametersByPath(
GetParametersByPathRequest.builder()
.path("/prod/myapp/")
.withDecryption(true)
.recursive(true)
.build());
Hierarchical Namingโ
/prod/myapp/db-url
/prod/myapp/db-password โ SecureString
/prod/myapp/feature-flags
/dev/myapp/db-url
GetParametersByPath("/prod/myapp/") returns all parameters in that hierarchy.
Choosing the Right Serviceโ
| Scenario | Use |
|---|---|
| Database password with auto-rotation | Secrets Manager |
| Store 10+ app config values cheaply | SSM Parameter Store |
| API key that must rotate every 30 days | Secrets Manager |
| Feature flags / non-sensitive config | SSM Parameter Store (String) |
| Sensitive config, no rotation needed | SSM Parameter Store (SecureString) |
| Cross-account secret sharing | Secrets Manager |
๐งช Practice Questionsโ
Q1. A developer needs to store an RDS password and have it automatically rotated every 30 days. Which service is the BEST choice?
A) SSM Parameter Store (SecureString)
B) AWS Secrets Manager
C) KMS encrypted environment variable
D) S3 encrypted file
โ Answer & Explanation
B โ Secrets Manager has built-in native rotation for RDS. It calls a rotation Lambda that creates new DB credentials, updates them in the database, then updates the secret โ all automatically.
Q2. An application stores 50 configuration values (database URLs, feature flags, thresholds). Most are non-sensitive. What is the MOST cost-effective storage?
A) Secrets Manager โ one secret per value
B) SSM Parameter Store โ String type for non-sensitive, SecureString for sensitive
C) Environment variables
D) S3 config file
โ Answer & Explanation
B โ SSM Parameter Store Standard is free for standard parameters. Secrets Manager costs $0.40/secret/month, which adds up for 50 values. Use SecureString for sensitive values, String for the rest.
Q3. A Lambda function reads a database secret on every invocation, causing high Secrets Manager API costs. What is the BEST fix?
A) Cache the secret in a DynamoDB table
B) Use the Secrets Manager caching client in the Lambda initialization code
C) Store the secret in an environment variable
D) Call GetSecretValue only in the warm-up phase
โ Answer & Explanation
B โ The Secrets Manager Caching Client library caches secrets in memory with a configurable TTL. Since Lambda reuses execution environments (warm invocations), the cached value is used for subsequent calls, drastically reducing API calls.