AWS Secrets Manager enables you to rotate, manage, and retrieve secrets throughout their lifecycle, making it easier to maintain a secure environment that meets your security and compliance needs. With Secrets Manager, you pay based on the number of secrets stored and API calls made. There are no upfront costs or long-term contracts. You simply pay for usage, without incurring costs related to infrastructure, licensing, and personnel required to ensure your secrets are reliably and highly available.
For a list of regions where AWS Secrets Manager is available, see the AWS Region Table.
Example 1: Production-scale web application
In this example, we assume you operate a highly available, production-scale web application that uses 1 load balancer, 2 web servers, 2 app servers, and 1 high-availability database server. In addition to the temporary AWS credentials delivered by IAM at no additional cost to access AWS resources, your application also requires 2 SSH keys per server and 5 database credentials per database. We assume that you SSH in to your instances once a day and your application uses the database credentials to refresh the database connection pool every hour. We also assume that you have configured Secrets Manager to rotate the database credentials every week.
- 2 SSH keys per server and 5 database credentials per database.
- 2 API calls per SSH key per day. 24 API calls per database credential per day. 7 API calls per database credential per week to rotate credentials safely.
Note: rotating a secret creates a new version of the secret. You are not charged for creating new versions.
|$6.00||15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web servers + 2 SSH keys * 2 app servers + 5 database credentials * 1 database) @ $0.40 / secret / month|
4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days + 5 database credentials * 1 database * 24 API calls/day * 30 days
+ 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls
|$6.02||Total (per month)|
Example 2: Using ephemeral secrets to authenticate micro services
In this example, we assume you operate a custom solution for generating security tokens for authenticating 80 micro services. These security tokens are generated on-demand and are valid for 1 hour. We assume you generate 5M security tokens per month (each token valid for 1 hour) and store these in Secrets Manager. We also assume that each token is retrieved twice: once for authentication and then for requesting the next token.
- 5M secrets (each valid for 1 hour).
- 2 API calls per secret per month.
Note: Since these secrets are stored in Secrets Manager for an hour, the price per secret is calculated as $0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour
|$2,800.00||5M secrets @ $0.00056 / secret/ hour|
|$50.00||10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls|
|$2,850.00||Total (per month)|
Example 3: An organization with a monthly AWS spend of $40K+
We assume such an organization has 1,500 secrets (database credentials, SSH keys, third-party API keys, OAuth tokens etc.). We also assume that applications and employees interact with each secret 20 times a day (or 600 times a month).
- 1,500 secrets.
- 20 API calls per secret per day.
1,500 secrets @ $0.40 / secret
|$4.50||900,000 API calls (1,500 secrets * 20 API calls/day * 30 days) @ $0.05/10,000 calls|
|$604.50||Total (per month)|
Example 4: An organization with a monthly AWS spend of $250K+
We assume such an organization has 10,000 secrets. We also assume that applications and employees interact with each secret 40 times a day (or 1,200 times a month).
- 10,000 secrets.
- 40 API calls per secret per day.
10,000 secrets @ $0.40 / secret
|$60.00||12M API calls (10,000 secrets * 40 API calls/day * 30 days) @ $0.05/10,000 calls|
|$4,060.00||Total (per month)|