Storing sensitive data in AWS secrets manager

Where should i store my sensitive data in AWS secrets manager or AWS ssm parameter store?


What do you mean by sensitive? Do you have some examples?

Depends on the use-case. If you need the features of AWS Secrets Manager then use that. If you don’t and just need to store a string in an encrypted way, then probably save some money and use AWS Parameter Store.

Personally I’d recommend AWS Secrets Manager. It’s relatively cheap and they actually do things the way that Parameter Store probably should have been built from day 1. I know its AWS but the fact that these are even two separate products is bizarre.

I was begging AWS to build something like Secrets Manager (we were running Vault at the time). When SM finally shipped, we learned that two years before Parameter Store shipped and pretty much no one noticed.

PS is built for storing parameters instead of full secrets. But with the KMS encryption it makes it easy for many folks to store both secrets and parameters in a single place

SM does have better tooling for secret specific needs (such as tooling for rotations)

The other big thing to note between SM and PS is that SM gives you the ability to pay per request and burst as high as you need whereas PS has defined limits. This means you need some scale to hit this problem but I’ve seen it hit before and its a huge problem