Free AWS Security Whitepaper
    Toc Consulting Logo
    comparesecrets-manager-vs-parameter-store-vs-vault
    SECURITYPublished 2025-07-15Updated 2025-11-20
    AWS Secrets ManagerAWS Secrets Manager
    vs
    SSM Parameter StoreSSM Parameter Store
    vs
    HashiCorp VaultHashiCorp Vault

    Secrets Manager vs Parameter Store vs Vault

    Where should your secrets live?

    Three approaches to secrets management on AWS: Secrets Manager with built-in rotation, Parameter Store with a generous free tier, and HashiCorp Vault for multi-cloud dynamic secrets. Most teams overpay - Parameter Store Standard is free for up to 10,000 parameters.

    Service Overview

    AWS Secrets Manager

    AWS Secrets Manager

    Managed secrets with rotation

    Built-in automatic rotation for RDS, Redshift, DocumentDB

    TypeManaged secret storage + rotation
    Pricing$0.40/secret/month + $0.05/10K API calls
    SSM Parameter Store

    SSM Parameter Store

    Config & secrets storage

    Free tier, hierarchical namespacing, tight IAM integration

    TypeHierarchical config/secret storage
    PricingFREE (Standard, up to 10K params) / $0.05/param/mo (Advanced)
    HashiCorp Vault

    HashiCorp Vault

    Multi-cloud secrets engine

    Dynamic secrets, multi-cloud, PKI, transit encryption

    TypeDynamic secrets + PKI + encryption
    PricingOpen source (self-hosted) or HCP Vault (~$0.03/hr starter)

    Side-by-Side Comparison

    $ diff --side-by-side
    CriteriaSecrets ManagerSSM Parameter StoreHashiCorp Vault
    Automatic RotationYes (RDS, Redshift, DocumentDB, Lambda)No (manual or custom Lambda)Yes (dynamic secrets - generated on-the-fly)
    Free Tier30-day trial (new accounts)10,000 Standard params - free foreverOpen source (self-hosted)
    Max Size per Secret64 KB4 KB (Standard) / 8 KB (Advanced)Unlimited
    Cross-Account AccessYes (resource policy)Yes (RAM sharing, Advanced tier only, since 2024)Yes (multi-cloud)
    VersioningYes (automatic)Yes (100 versions retained)Yes (versioned K/V store)
    EncryptionKMS (mandatory)KMS (mandatory for SecureString type; String type is unencrypted)Transit engine or external KMS
    Audit LoggingCloudTrailCloudTrailVault audit log (file/syslog/socket)
    Operational OverheadNone (fully managed)None (fully managed)High (cluster management, unsealing, backups)

    When to Use What

    $ cat DECISION_GUIDE.md
    IFYou need automatic password rotation for RDS databases
    THENSecrets Manager
    WHYBuilt-in rotation for RDS, Redshift, and DocumentDB with zero custom code. Lambda-based rotation for other secret types.
    IFYou need to store config values and non-rotating secrets
    THENParameter Store (Standard)
    WHYFree for up to 10,000 parameters. SecureString type encrypts with KMS. No reason to pay for Secrets Manager for non-rotating secrets.
    IFYou need dynamic, short-lived database credentials
    THENVault
    WHYVault generates unique credentials per request with automatic TTL-based expiration. No shared secrets, no rotation needed.
    IFYou need secrets shared across AWS accounts
    THENSecrets Manager
    WHYResource-based policies enable simple cross-account access. Parameter Store supports cross-account via RAM (Advanced tier only), but Secrets Manager resource policies are simpler to manage.
    IFYou run workloads on multiple clouds (AWS + GCP/Azure)
    THENVault
    WHYVault is cloud-agnostic with secrets engines for AWS, GCP, Azure, databases, PKI, and more. Single control plane across all clouds.

    Security Insights

    Most teams overpay for Secrets Manager

    If your secrets do not need automatic rotation or cross-account access, Parameter Store Standard is free and stores up to 10,000 parameters. That covers 90% of use cases.

    Vault adoption is shifting to AWS-native

    Since the IBM acquisition, many teams are migrating from Vault to AWS-native solutions (Secrets Manager + Parameter Store) due to lower operational overhead. Only choose Vault if you genuinely need multi-cloud or dynamic secrets.

    Parameter Store Standard is free forever

    Up to 10,000 Standard parameters with no monthly cost. For non-rotating secrets (API keys, config values), Parameter Store is the most cost-effective option. Secrets Manager is worth the $0.40/secret/month only when you need automatic rotation or resource-based cross-account policies.

    Never store secrets in environment variables or code

    Regardless of which tool you choose, the worst option is hardcoded secrets. All three solutions integrate with Lambda, ECS, EKS, and EC2 to inject secrets at runtime.

    Key Takeaways

    $ cat SUMMARY.md
    1.Parameter Store Standard is FREE for up to 10K params - start there for non-rotating secrets
    2.Secrets Manager is worth the cost only for automatic rotation and cross-account access
    3.Vault is for multi-cloud and dynamic secrets - do not self-host it unless you have a dedicated platform team
    4.Parameter Store Standard is free forever for up to 10K params - use it for non-rotating secrets
    5.Vault adoption is shifting to AWS-native as teams prioritize lower operational overhead
    SecretsEncryptionKey ManagementZero Trust

    Need Architecture Guidance?

    These comparisons are a starting point. Every architecture is different. Contact us for tailored AWS security assessments and architectural guidance.

    All ComparisonsGet in Touch