When should I use Secrets Manager versus SSM Parameter Store SecureString?

Use Secrets Manager when you need automatic rotation (built-in support for RDS, Redshift, DocumentDB), cross-region replication, or resource-based policies for cross-account sharing. Use SSM Parameter Store when you have simple key-value secrets that are rotated manually or through your own automation — standard parameters are free, and advanced parameters cost $0.05 per parameter per month. For most API keys and simple credentials, SSM Parameter Store is significantly cheaper.

How do API calls accumulate with automatic rotation?

Each rotation cycle generates multiple API calls: the rotation Lambda function calls GetSecretValue to retrieve the current secret, CreateSecret or PutSecretValue to store the new secret, and UpdateSecretVersionStage to finalize the rotation. If you have 100 secrets rotating every 30 days, that is roughly 400 additional API calls per month from rotation alone. Applications also generate GetSecretValue calls on each retrieval — caching the secret in your application (using the AWS SDK's built-in caching) dramatically reduces API call costs.

Secrets Manager Cost Estimator

IAM & SecurityAWS

Estimate AWS Secrets Manager costs including secrets, API calls, rotation, and replication with SSM Parameter Store comparison.

Input

Example Presets

Number of secrets

Each secret costs $0.40/month

API calls per month

Includes GetSecretValue, PutSecretValue, DescribeSecret, etc.

Enable automatic rotation

Replication regions

Number of additional regions for secret replication ($0.40/secret/region/month)

Compare with SSM Parameter Store

About This Tool

AWS Secrets Manager charges $0.40 per secret per month plus $0.05 per 10,000 API calls, and costs can escalate quickly with automatic rotation (which generates additional API calls), cross-region replication ($0.40 per replica per month), and high-frequency retrieval patterns. Many teams discover that SSM Parameter Store's SecureString parameters provide equivalent functionality for simple key-value secrets at significantly lower cost. This estimator calculates your projected Secrets Manager costs based on the number of secrets, API call volume, rotation frequency, and replication configuration, then provides a side-by-side comparison with SSM Parameter Store to help you choose the most cost-effective option.

When to Use This Tool

•Estimating monthly costs before migrating application secrets from environment variables or config files to Secrets Manager
•Comparing Secrets Manager versus SSM Parameter Store costs for different secret volume and access patterns
•Calculating the cost impact of enabling automatic rotation — each rotation triggers GetSecretValue, PutSecretValue, and Lambda invocation costs
•Projecting costs for multi-region secret replication strategies and understanding how replication increases per-secret costs

Frequently Asked Questions

When should I use Secrets Manager versus SSM Parameter Store SecureString?: Use Secrets Manager when you need automatic rotation (built-in support for RDS, Redshift, DocumentDB), cross-region replication, or resource-based policies for cross-account sharing. Use SSM Parameter Store when you have simple key-value secrets that are rotated manually or through your own automation — standard parameters are free, and advanced parameters cost $0.05 per parameter per month. For most API keys and simple credentials, SSM Parameter Store is significantly cheaper.
How do API calls accumulate with automatic rotation?: Each rotation cycle generates multiple API calls: the rotation Lambda function calls GetSecretValue to retrieve the current secret, CreateSecret or PutSecretValue to store the new secret, and UpdateSecretVersionStage to finalize the rotation. If you have 100 secrets rotating every 30 days, that is roughly 400 additional API calls per month from rotation alone. Applications also generate GetSecretValue calls on each retrieval — caching the secret in your application (using the AWS SDK's built-in caching) dramatically reduces API call costs.

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.