iTranslated by AI
Is Your Password Management Worth $0.40/Month? Criteria for Switching from Secrets Manager to Parameter Store
- This page contains promotional content.
[What you will learn in this article]
- Secrets Manager costs money ($0.40/month per secret) because it "automatically rotates passwords."
- Systems Manager Parameter Store is free for manual management.
- For personal development, it is perfectly fine to switch to the free Parameter Store while maintaining the same level of security.
Introduction: How much are you paying for that "single password"?
AWS hands-on articles and tutorials often use "AWS Secrets Manager" for database password management as if it were the default choice.
Have you set it up thinking, "This must be essential for security," and then left it as is? In fact, you're being charged bit by bit.
- Per secret: $0.40 / month (approx. 60 yen)
You might think, "Only 60 yen?" However, as the number of secrets increases—database passwords, API keys, staging environment credentials—it can add up to several thousand yen per year. If you aren't using "automatic password rotation," that's money you don't need to spend.
Today, I will explain how to use AWS's standard free vault, "Systems Manager Parameter Store," to reduce costs to zero without compromising security.
Recommended Books
- Thorough Capture: AWS Certified Solutions Architect - Associate Textbook
- Amazon Web Services: Network & Server Construction from the Ground Up
1. Two similar services, one decisive difference
AWS has two services for storing sensitive information (such as passwords). Their names are long and can be confusing, but for now, just remember their "features" and "pricing."
| Service Name | Common Name | Price (per item) | Primary Role |
|---|---|---|---|
| AWS Secrets Manager | Secrets Manager | $0.40 / month | High-performance vault (can automatically update contents) |
| Systems Manager Parameter Store | Parameter Store | Free ($0) * | Standard vault |
- While Parameter Store has a paid "Advanced" tier, the "Standard" tier for normal use is free.
Why does Secrets Manager cost money?
It's because it has a powerful feature called auto-rotation (automatic updates).
"Changing the database password to a random string every 30 days"
"Automatically reflecting the changed password in RDS"
You are paying 40 cents a month as an "operational agency fee" for things that humans don't have to do manually. Conversely, if you "rarely change your password (it can stay fixed)," there is no need to use Secrets Manager.
2. Security is the Same Even with Parameter Store
A common misconception is the concern that "the free version (Parameter Store) might have lower security."
To put it simply, the level of security is the same.
Both services use AWS KMS (Key Management Service) encryption keys behind the scenes to protect your data.
- Save your data by selecting the SecureString setting.
As long as you follow this, your database passwords will be encrypted even in Parameter Store, and unauthorized individuals will not be able to see them. Rest assured that "free" does not mean "dangerous."
3. Which One to Use? A 1-Second Decision Flow
When in doubt, use the chart below to decide.
▼ [Diagram] How to Choose a Password Management Service
Parameter Store is sufficient for 90% of personal development
Strict requirements like "having to change passwords every 30 days" are rare for apps made for personal use or small-scale internal tools. In most cases, once you set it up, you will likely continue using it as is.
In that case, Parameter Store (free) is the clear choice.
4. Coding is Almost the Same
Did you think, "Switching sounds like a hassle"? In fact, the way you call it from your program (code) is almost identical.
Let's look at an example using Python (Boto3).
import boto3
# For Secrets Manager
def get_secret():
client = boto3.client('secretsmanager')
response = client.get_secret_value(SecretId='MyDBPassword')
return response['SecretString']
# For Parameter Store
def get_parameter():
client = boto3.client('ssm')
response = client.get_parameter(Name='MyDBPassword', WithDecryption=True)
return response['Parameter']['Value']
As you can see, secretsmanager changes to ssm, and the method name changes slightly. With just a few lines of modification, you can reduce your monthly fixed costs.
Summary: Cut Costs by Using the Right Tool for the Right Job
- Secrets Manager: A luxury hotel to be used only when "automatic password rotation" is required.
- Parameter Store: A home safe that can be used for free if you manage it yourself.
Don't assume "security = paid," but rather show your skill as an AWS engineer by choosing services based on requirements. Check your bill now, and if you have any unused Secrets Managers, consider moving them to Parameter Store.
📚 Two Books to Become a Cost-Conscious Engineer
- Learn "billing points" for each service in detail: Understanding "differences between Standard and Advanced Parameter Store" and "Secrets Manager use cases" is essential as they frequently appear in SAA exams. This is a book you want to have on hand not just for certification study, but as a "knowledge defense to avoid paying unnecessary costs."
▼ Thorough Capture: AWS Certified Solutions Architect - Associate Textbook
- Learn "how to configure" by doing: There are plenty of specific hands-on exercises, such as connecting to a database from EC2 using Parameter Store. For those who are worried about "I read the article, but how do I set it up on the actual screen?", I recommend trying it once with this book.
▼ Amazon Web Services: Network & Server Construction from the Ground Up
Discussion