Application and data security are one of the most important parts of running an organization – especially for cloud-based infrastructure. To become an AWS pro, you need to have an in-depth understanding of the security services AWS offers. The two services we’re talking about are AWS Systems Manager Parameter Store and the AWS Secrets Manager.
One of the main facets of application security is various parameters, including database credentials (usernames and passwords), product keys, API keys, and environment variables stored and accessed. The storage and retrieval of this type of data can be complicated, which is why Amazon offers the AWS Systems Manager Parameter Store and the AWS Secrets Manager. These systems allow the storage and management of secure and private data, and while they sound similar and both offer similar functions and features, there are a few differences between the two.
AWS Systems Manager Store vs. AWS Secrets Manager
Let’s look into how these systems are similar and how they differ from each other:
AWS Systems Manager is developed to be a centralized place to manage and secure configuration data. AWS Secrets Manager is designed to manage, retrieve and rotate ‘secrets.’
The AWS Secrets Manager was made particularly for the management of confidential data such as credentials and API keys. Secrets Manager encrypts everything by default and provides additional features such as key rotation and password generation. The system allows users to manage, store, rotate, and retrieve various data throughout their lifecycles and can be utilized to access any and all AWS cloud services and even third-party and on-premises services.
The AWS Systems Manager Parameter Store was made for a wider range of cases and can store anything, even non-confidential data such as URLs, and is more of a centralized place to store all of an organization’s configuration data. The AWS Systems Manager also allows users to perform a number of management and IT tasks. The management system also allows users to carry out various pre-planned and pre-built tasks on various accounts.
The first similarity is in encryption. Both the Systems Manager Store and Secrets Manager utilize KMS (Key Management Services) for data encryption. They both also utilize Identity and Access Management (IAM) policies for permission – these policies can be configured for various use cases to allow access and decrypt values and data. The use of both KMS and IAM provides additional layers of security.
Both of these systems can be accessed, managed, and controlled through the AWS console.
Both of these services also allow key/value storage under names and keys. Both also allow prefixes which is a great feature to have as different parameters, and secrets can be based on different applications and deployment environments.
Both of these systems also allow CloudFormation integration. Storing confidential data in CloudFormation is considered poor security practice. Both these systems can be utilized to store data like credentials which can then be accessed through CloudFormation. This allows the data to be stored securely and retrievable by accessing them programmatically.
Now that we know how these services are similar, let’s look into the differences between them:
First off, the AWS Systems Manager Parameter Store was made for much more than secrets and passwords. It allows application configuration variables like variables to integrate with third-party software, URLs, user preferences, product keys, and more. This is why parameters are stored as plain text by default, and users can choose to encrypt if they want to. On the other hand, the Secrets Manager was specifically designed for confidential data encryption is enabled as default, and data cannot be stored as plaintext.
The next difference between the two is ‘Secret Rotation.’ The AWS Secrets Manager provides users the ability to rotate various credentials on a predetermined time scale. The AWS Secrets Manager also integrates this feature with various AWS services. This feature is an AWS Secrets Manager exclusive and not available in the Systems Manager. The AWS Systems Manager requires the user to update and refresh the data manually.
The AWS Secrets Manager can also be accessed through other AWS accounts. This cross-account access is very helpful in sharing secrets for various use cases. An example is using an IAM policy to retrieve data from another AWS account. The AWS System Manager Store does not support cross-account access.
Finally, the last difference is in the prices and costs. Standard parameters in the AWS Systems Manager Parameter Store are absolutely free, but the maximum amount of parameters a user can store is 10,000. It charges $0.05 for every 10,000 API requests for those seeking higher capacity. The user must pay an extra $0.05 per secret per month to store advanced settings. There is a monthly fee of $0.40 per secret and an extra fee of $0.05 for every 10,000 API requests for the AWS Secrets Manager. Although this may not seem like much, especially for large corporations, these pennies can add up to a significant amount.
Though both these systems provide similar services – key/value storage, management, and retrieval, the AWS Systems Manager Parameter Store lacked secret storage functionality, which is why AWS released the Secrets Manager in 2018.
The AWS Systems Manager Parameter Store should be used to store non-confidential data, encrypted or unencrypted, such as application configuration settings, license codes, URLs, and user preferences. The service still provides a lot of functionality to streamline deployments and parameters. It is also free, which is another great plus point.
The AWS Secrets Manager comes with all the functionalities the Systems Manager Store lacks. With cross-account access, automatic key rotations, cloud integration, and default integration – the AWS Secrets Manager is the best place to manage and store confidential data such as API keys, credentials, and OAuth Tokens. While these added features do come at a cost, the cost is usually worth it for the confidentiality it provides.