My simplified rule of thumb is to always go with AWS Systems Manager parameters if you don’t care about secrets rotation and cross-account access. Hopefully, the things you learned today will allow you to make a more thoughtful decision to pick one over the other.
AWS Systems Manager Parameter Store doesn’t allow us to generate random data - we need to do it manually using console or AWS CLI. It is so handy to be able to create it and reference it in the same CloudFormation stack. Password generationĪWS Secrets Manager allows us to generate random data during the creation phase. However, AWS Secrets Manager costs $0.40 per secret per month, and data retrieval costs $0.05 per 10,000 API calls.
PriceĪWS Systems Manager Parameter Store comes with no additional cost (Standard type). AWS Secrets Manager will enable us to store up to 40,000 parameters, and each of them can be up to 64kb.
LimitsĪWS Systems Manager Parameter Store allows us to store up to 10,000 parameters, and each of them can be up to 4kb. AWS Secrets Manager doesn’t allow opt-out of encryption, and all data stored using this service will be encrypted using AWS Key Management Service (AWS KMS). Data encryptionĪWS Systems Manager Parameter Store allows us to store data in plain text ( String and StringList type) or encrypted ( SecureString type). Unfortunately, there is no way to attach resource-based IAM policy for AWS Systems Manager Parameter Store (Standard type). AWS Secrets Manager will enable us to attach resource-based IAM policies that grant cross-account access. Cross-account accessĪWS Identity and Access Management (IAM) identity-based policies allow us granular control over our secrets. Automated data rotation is not possible using AWS Systems Manager Parameter Store. This also can be achieved for any other secret by delegating this task to the Lambda function. AWS Secrets Manager can do it without writing a single line of code for many services: Amazon Relational Database Service (Amazon RDS), Amazon DocumentDB and Amazon Redshift. DifferencesĪWS Secrets Manager can automatically rotate credentials on the desired schedule. If configured accordingly, they both can use the exact encryption mechanism. We can control both of them using AWS Console and access them programmatically (AWS CLI, SDKs and CloudFormation). They are both designed to store sensitive data like passwords, DB connection strings, resource IDs etc. By using one over the other, you can also save money - I did, and that’s why I’m sharing this with you. Besides many similarities, there are a few subtle differences and understanding them will help you pick a service which is right for you. The AWS platform offers two services for storing sensitive configuration data, AWS Secrets Manager and AWS Systems Manager Parameter Store.
0 kommentar(er)
