AWS Security Blog

How to choose the right AWS service for managing secrets and configurations

When building applications on AWS, you often need to manage various types of configuration data, including sensitive values such as API tokens or database credentials. From environment variables and API keys to passwords and endpoints, this configuration data helps determine application behavior. AWS offers managed services that you can use for different aspects of managing secrets and configuration data, in addition to feature flags to adjust application behavior without requiring full code deployments. This post explores AWS Secrets Manager, AWS Systems Manager Parameter Store, and AWS AppConfig, and provides guidance on selecting the right service to help meet your requirements. To summarize: AWS recommends you use AWS Secrets Manager for secrets, Parameter Store for simple storage of key-value pairs, and AWS AppConfig for feature flags and advanced dynamic configuration.

Overview of relevant AWS services

Let’s begin by examining the core services that manage customer secrets and configurations: Secrets Manager, Systems Manager Parameter Store, and AWS AppConfig.

Secrets Manager

Secrets Manager specializes in protecting access to applications, services, and IT resources by managing the lifecycle of secrets. Secrets Manager helps you rotate, manage, and retrieve credentials for databases, API keys, OAuth tokens, JSON Web Tokens (JWTs) and other secrets, securing resources in the AWS Cloud, on-premises, or in multi-cloud environments. Secrets Manager was designed specifically for sensitive credentials such as database passwords and can be used to replicate secrets to other AWS Regions and rotate passwords automatically based on a configurable schedule. Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt secrets you create with a KMS key you own and control—this encryption of secrets cannot be disabled. Additionally, Secrets Manager supports Post-Quantum TLS (PQ TLS) by default for API communications, with select client SDKs also offering PQ TLS protection.

Parameter Store

Parameter Store, a capability within Systems Manager, offers secure, hierarchical storage for configuration data and secure strings. You can store various types of data—from passwords and database strings to AMI IDs and license codes—as parameter values. These values can be stored as either plain text or encrypted data and referenced using unique names. Parameter Store also offers encryption using AWS KMS, but only for a specific parameter type, known as SecureString parameters. SecureString parameters must be encrypted with AWS KMS, but other parameter types can be stored unencrypted.

AWS AppConfig

AWS AppConfig facilitates the creation, management, and deployment of feature flags and application configuration data. It’s designed to support applications of different sizes with controlled deployments and includes robust validation mechanisms and monitoring capabilities. AWS AppConfig works seamlessly with various deployment targets, including Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda functions, containers, mobile applications, and Internet of Things (IoT) devices. While AWS AppConfig can store configuration data either in its own datastore, using Parameter Store, or using Secrets Manager, it’s primarily designed to help you speed up software release frequency, improve application resiliency, and address emergent issues more quickly using feature flags and dynamic configuration as a powerful DevOps tool.

Service similarities

These services share several common capabilities while maintaining distinct specializations. All three support comprehensive logging through AWS CloudTrail and monitoring through Amazon CloudWatch, can be governed through granular AWS Identity and Access Management (IAM) permissions and service control policies (SCPs), and are available across the commercial Regions. They can store configuration data, though each excels in different scenarios. Parameter Store should be used to store and manage non-sensitive configuration data that doesn’t require frequent rotation or replication across Regions. Secrets Manager focuses on storing and automatically rotating sensitive credentials, offering features like the Secrets Manager Agent for secret caching and retrieval, and integrations with services like Amazon Relational Database Service (Amazon RDS) to reduce the operational overhead of managing admin passwords for databases. AWS AppConfig specializes in managing application configuration and feature flags with deployment safety controls and can be used in conjunction with Parameter Store or Secrets Manager to store and manage sensitive credentials. AWS AppConfig also uses a caching agent for performance and resiliency.

All three services can be used to encrypt your configuration data using AWS KMS. You can use IAM permissions in conjunction with AWS KMS to control access to encrypted values. Parameter Store and Secrets Manager also support resource policies for secrets and parameters that can be used to grant cross-account access and provide another layer of access control in addition to IAM policies.

The services also share an integration with AWS CloudFormation, enabling references to configuration data within templates instead of hardcoding sensitive information. This integration helps maintain security in infrastructure-as-code practices by helping prevent exposure of sensitive data. Additionally, all three services support versioning, though they implement it differently: Secrets Manager creates new versions during rotation or value changes, Parameter Store maintains versions when parameters are edited, and AWS AppConfig tracks versions through configuration profiles and its hosted configuration store.

Service differences

A primary differentiator between these three services is their approach to access control and permissions management. Secrets Manager offers the most comprehensive security controls through multiple layers: resource-based policies (RBPs), resource control policies (RCPs), service control policies (SCPs), attribute-based access control (ABAC), and AWS KMS key policies. By using this multi-layered approach, organizations can implement defense-in-depth strategies and can meet stringent compliance requirements. Additionally, the integration of Secrets Manager with Amazon GuardDuty provides automated secret-specific threat detection, including alerts for potentially malicious API calls or unauthorized access attempts. The direct integration of Secrets Manager with AWS Config and AWS Security Hub enables automated compliance monitoring and reporting across multiple compliance frameworks (such as PCI DSS, HIPAA, and SOC), with built-in controls and continuous assessment capabilities. These comprehensive security and compliance features make Secrets Manager particularly suitable for regulated industries requiring detailed audit trails and compliance reporting.

Another key difference is the ability to replicate secrets and parameters across Regions and automatically rotate secrets to reduce the impact radius of a compromised credential. The built-in automatic rotation functionality of Secrets Manager—using Lambda functions to handle rotation logic with customizable intervals—sets it apart from other services. The service maintains previous versions during rotation to help facilitate system stability. While Parameter Store and AWS AppConfig don’t offer native rotation capabilities, you can reference secrets stored in Secrets Manager as configuration sources, enabling a complementary approach to secrets management.

The services also differ in their logging and observability capabilities. While all three services integrate with CloudTrail for API activity logging, Secrets Manager provides additional detailed logging through CloudWatch Logs for rotation events and secret access patterns. It also offers enhanced monitoring through CloudWatch metrics for tracking secret versions, rotation status, and API usage patterns, providing deeper operational insights compared to Parameter Store and AWS AppConfig.

In terms of resilience, all three services are highly available within a Region, but only Secrets Manager supports the ability to automatically replicate secret values across Regions. For example, if you have a requirement to replicate database passwords to multiple Regions for a global application (or disaster recovery), you can use secret replicas to keep secret values in sync with each other, even when the primary version of the secret is rotated automatically. Parameter Store lacks multi-Region support and only provides cross-account access through resource-based policies, limiting its use to single-Region deployments. This makes Parameter Store suitable for Regional configuration management.

AWS AppConfig distinguishes itself through comprehensive deployment safety mechanisms. It employs validators to help make sure configuration updates are both syntactically and semantically correct, supporting both JSON schema and custom Lambda function validators. The service implements gradual deployment strategies to control configuration change rates and includes automatic rollback capabilities triggered by CloudWatch (and other APM provider) alarms. These features help limit the potential impact of configuration changes, while Parameter Store and Secrets Manager focus primarily on secure storage and retrieval of credentials.

From a pricing perspective, the services have different cost models aligned with their capabilities. Parameter Store offers standard parameters at no additional charge, while advanced parameters cost $0.05 per parameter per month plus API interaction costs. Advanced parameters support larger parameter values (up to 8 KB) and parameter policies, using envelope encryption with the AWS Encryption SDK for SecureString parameters. Secrets Manager charges $0.40 per secret stored plus API calls, reflecting its additional capabilities such as secret replication, automatic rotation, and native integrations with AWS services like Amazon RDS. Its pricing model is designed for storing sensitive credentials that require these advanced features. It maintains versions of secrets throughout their lifecycle, particularly during rotation, and you can retrieve specific versions as needed. AWS AppConfig is priced based on configurations received ($0.0008 per configuration) and configuration requests ($0.0000002 per request), with the flexibility to store configurations directly or reference them from Parameter Store or Secrets Manager. This pricing structure makes Parameter Store optimal for non-sensitive configuration data, Secrets Manager for sensitive credentials requiring rotation, and AWS AppConfig for managing application configurations with deployment controls.

Use case examples

Let’s explore a few common use cases to illustrate when each service proves most valuable.

Non-sensitive key/value pairs that don’t require advanced features

For non-sensitive key/value pairs in applications that don’t require regular rotation, compliance monitoring, or resilience across multiple Regions, Parameter Store will likely be the best choice for most customers. Consider a scenario where an application needs to store a license key for a database, or an AMI ID. Parameter Store is a good choice because the use case doesn’t require rotation or multi-Region replication, the data structure is straightforward, and cost efficiency matters for high-volume retrieval. Encryption with AWS KMS is supported if needed for parameters that might be for internal use only but don’t contain personally identifiable information (PII) or credentials used for authentication. With Parameter Store, you can efficiently manage large sets of parameters while maintaining security controls and organizational structure. Retrieving the values from Parameter Store is straightforward for developers, as shown in the following example (Python):

import boto3 
ssm = boto3.client('ssm') 
response = ssm.get_parameter(     
	Name='/myapp/dev/api-endpoint',     
    WithDecryption=False 
) 
api_endpoint = response['Parameter']['Value']

Database credentials with rotation and multi-Region requirements

For database credentials requiring rotation and multi-Region capabilities, Secrets Manager is the clear choice. Its automatic rotation functionality, multi-Region replication support, and native integration with Amazon RDS and other AWS services make it well-suited for managing complex database credential scenarios. Similarly, you should choose Secrets Manager for sensitive items like API keys and other types of credentials used for authentication. In the following diagram, you can see an example application architecture using Lambda to retrieve database credentials from Secrets Manager, which will be used to authenticate and query information from an RDS instance. Because the RDS instance has a cross-Region read replica, you can replicate the secret to the secondary Region (us-west-2), allowing the Lambda function in us-west-2 to get the secret value and query the read replica, even if the secret in the primary Region (us-east-1) cannot be accessed.

Secrets Manager also makes it straightforward for developers to retrieve secrets in their application, as shown in the following code sample:

import boto3 

secrets = boto3.client('secretsmanager') 
response = secrets.get_secret_value(
	SecretId='myapp/dev/db-credentials' 
)

While you can directly call the Secrets Manager APIs to retrieve a secret (as shown in the preceding example), Secrets Manager also has a number of features and integrations to improve the developer experience further, including the AWS Secrets Manager Agent, native integrations with Amazon Elastic Container Service (Amazon ECS), and the AWS Secrets and Configuration Provider (ASCP), which complements the CSI Driver utility in Kubernetes.

Secure password generation in CI/CD pipelines

When building applications, you might need to securely generate a password or other type of secret in your continuous integration and delivery (CI/CD) pipeline, without that secret value being exposed to developers or other human users. The ability of Secrets Manager to generate and manage secure passwords without human intervention, combined with its automated rotation capabilities and CI/CD tool integration, makes it the optimal solution. In the following sample, the Secrets Manager API GetRandomPassword is used to securely generate a password with a specific, configurable length without that value being exposed to a human or written to application logs or pipeline artifacts.

import boto3 

secrets = boto3.client('secretsmanager') 
response = secrets.get_random_password(     
	PasswordLength=32,     
    ExcludeCharacters='/@"\'\\',     
    ExcludePunctuation=True 
)

Configurable deployment controls

AWS AppConfig shines in scenarios requiring sophisticated deployment controls and validation for configuration changes. Its validation mechanisms, gradual deployment capabilities, and automatic rollback features make it ideal for managing feature flags and application configurations where controlled deployment is crucial. For instance, you might have a configuration file that contains an Allowlist of network environments that should be able to access and use your application; or you could have feature flags that enable use of AI for recommendations, or live-chat with support.

These examples aren’t necessarily sensitive values that require strong access control, encryption, and automatic rotation to reduce the impact radius of a lost credential. This means Secrets Manager wouldn’t be the most cost-effective choice to store these parameters: the additional value provided by features like automatic rotation aren’t needed for this use case. Also, AWS AppConfig is designed to help you validate your configuration changes and deploy them in a controlled way. For a more concrete example, see the following configuration files, which outline a network allowlist and AI configuration data for an example application.

(YAML) 

AllowList.yml 
# AllowList.yml 

# Network Access Controls 
ip_allowlists:   
	internal_networks:     
    - "10.0.0.0/8"     # Internal corporate network     
    - "172.16.0.0/12"  # VPC network range     
    - "192.168.1.0/24" # Development network 
    
# Domain Allowlist 
domain_allowlist:   
	api_consumers:     
    	- "api.partner1.com"     
        - "services.partner2.com"     
        - "*.trusted-client.com"

(JSON) 

GenAIModels.json

{
	"models": {
		"claude-3-sonnet": {
			"provider": "bedrock",
			"model_id": "anthropic.claude-3-sonnet-20240229-v1:0",
			"temperature": 0.3,
			"region": "us-east-1"
		},
		"claude-3-haiku": {
			"provider": "bedrock",
			"model_id": "anthropic.claude-3-haiku-20240307-v1:0",
			"temperature": 0.5,
			"region": "us-east-1"
		},
		"titan-text": {
			"provider": "bedrock",
			"model_id": "amazon.titan-text-express-v1",
			"temperature": 0.4,
			"region": "us-east-1"
		},
		"llama2-70b": {
			"provider": "bedrock",
			"model_id": "meta.llama2-70b-chat-v1",
			"temperature": 0.6,
			"region": "us-west-2"
		}
	},
	"default_model": "claude-3-sonnet",
	"fallback_model": "claude-3-haiku",
	"timeout": 60,
	"retry_attempts": 3
}

Conclusion

Selecting the appropriate service depends on your specific requirements. Choose Parameter Store when managing basic configuration data, secure strings, or a large volume of secrets that don’t require rotation or multi-Region replication, particularly when cost optimization is important. Opt for Secrets Manager when handling sensitive credentials requiring rotation and cross-account or multi-Region resilience. Select AWS AppConfig when sophisticated deployment controls and validation for configuration changes are essential; and remember that you can use Parameter Store or Secrets Manager to store the actual configuration data, instead of or in addition to the default configuration datastore provided by AWS AppConfig.

These services aren’t mutually exclusive; they can work together as part of a comprehensive configuration management strategy. Many organizations successfully combine Parameter Store for general configuration data, Secrets Manager for sensitive credentials, and AWS AppConfig for feature flags and application configuration deployment. By using this integrated approach, you can take advantage of the strengths of each service while maintaining security and operational efficiency.

To get started, visit the AWS Management Console. Each service discussed in this post provides detailed documentation and getting started guides to help implement the right solution for your specific use case.

Getting Started guides

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Zach Miller

Zach Miller
Zach is a Principal Security Specialist Solutions Architect at AWS. His background is in data protection and security architecture, focused on a variety of security domains, including applied cryptography and secrets management. Today, he focuses on helping enterprise AWS customers adopt and operationalize AWS security services to increase security effectiveness and reduce risk.

Rochak Karki

Rochak Karki
Rochak is a Security Specialist Solutions Architect at AWS, focusing on threat detection, incident response, and data protection helping customers build secure environments. Rochak is a US Army veteran and holds a Bachelor of Science in Engineering from the University of Wyoming. Outside of work, he enjoys spending time with family and friends, hiking, and traveling.