Estimate AWS Secrets Manager costs including secrets, API calls, rotation, and replication with SSM Parameter Store comparison.
Last verified: May 2026
Each secret costs $0.40/month
Includes GetSecretValue, PutSecretValue, DescribeSecret, etc.
Number of additional regions for secret replication ($0.40/secret/region/month)
The estimator multiplies your inputs (secret count × $0.40, API calls / 10,000 × $0.05, replicas × $0.40) and adds rotation overhead (rotation Lambda invocations + 4 API calls per rotation cycle × secrets × rotations/year). It then runs the same volume through SSM Parameter Store pricing (free standard, $0.05/month advanced, $0.05 per 10,000 high-throughput API calls) so you can see the dollar delta side-by-side and decide whether the rotation/replication features are worth the premium.
AWS Secrets Manager charges $0.40 per secret per month plus $0.05 per 10,000 API calls, and costs can escalate quickly with automatic rotation (which generates additional API calls), cross-region replication ($0.40 per replica per month), and high-frequency retrieval patterns. Many teams discover that SSM Parameter Store's SecureString parameters provide equivalent functionality for simple key-value secrets at significantly lower cost. This estimator calculates your projected Secrets Manager costs based on the number of secrets, API call volume, rotation frequency, and replication configuration, then provides a side-by-side comparison with SSM Parameter Store to help you choose the most cost-effective option.
You inherit a microservice fleet with 800 'secrets' in Secrets Manager — most of which are static API keys for third-party services that never rotate. The bill is $320/month for storage alone before API calls. You run the estimator and see the same workload in SSM Parameter Store SecureString costs $0/month for the first 10,000 parameters. You migrate the static keys to Parameter Store and keep only the 40 RDS credentials with auto-rotation in Secrets Manager. Annual savings: ~$3,500.
Always cache secrets in your application using the AWS SDK's SecretsManagerCachingClient (Java) or aws-secretsmanager-caching libraries. Without caching, a Lambda function with 100 concurrent executions making one GetSecretValue per invocation will rack up GetSecretValue charges fast — caching takes the same workload to roughly zero API cost.
For simple API keys and config values that don't need rotation, SSM Parameter Store SecureString is free for standard parameters (up to 10,000 per region) versus $0.40/secret/month in Secrets Manager. Reserve Secrets Manager for credentials that genuinely benefit from rotation, replication, or resource-based policies.
Cross-region replication doubles per-secret cost ($0.40 → $0.80) but doesn't double API call costs unless your app actively reads from both regions. If you're replicating purely for DR, GetSecretValue calls in the secondary region will be near-zero in steady state.
Use Secrets Manager when you need automatic rotation (built-in support for RDS, Redshift, DocumentDB), cross-region replication, or resource-based policies for cross-account sharing. Use SSM Parameter Store when you have simple key-value secrets that are rotated manually or through your own automation — standard parameters are free, and advanced parameters cost $0.05 per parameter per month. For most API keys and simple credentials, SSM Parameter Store is significantly cheaper.
Each rotation cycle generates multiple API calls: the rotation Lambda function calls GetSecretValue to retrieve the current secret, CreateSecret or PutSecretValue to store the new secret, and UpdateSecretVersionStage to finalize the rotation. If you have 100 secrets rotating every 30 days, that is roughly 400 additional API calls per month from rotation alone. Applications also generate GetSecretValue calls on each retrieval — caching the secret in your application (using the AWS SDK's built-in caching) dramatically reduces API call costs.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.