AWS Secrets Manager stores and manages database credentials, API keys, OAuth tokens, and other sensitive data with built-in rotation support. The pricing is based on two dimensions: per-secret storage and API call volume. While individual secret costs seem small, organizations with hundreds of microservices can accumulate significant monthly charges.
TL;DR: Secrets Manager charges $0.40 per secret per month and $0.05 per 10,000 API calls. A typical application with 20 secrets and 500,000 API calls/month costs $10.50. For configuration values that do not require rotation, SSM Parameter Store is free for standard parameters. Use Secrets Manager only for credentials that need automatic rotation.
Core Pricing
| Component | Price |
|---|---|
| Per Secret | $0.40/month |
| API Calls | $0.05 per 10,000 calls |
| Replica Secrets (per region) | $0.40/month per replica |
What Counts as a Secret?
Each secret is a single stored value, which can be a plaintext string, JSON object, or binary blob up to 64 KB. A single secret might contain one database password or a JSON object with multiple key-value pairs. Storing related credentials in a single JSON secret rather than separate secrets reduces costs.
For example, a database connection with host, port, username, and password stored as four separate secrets costs $1.60/month. The same information stored as one JSON secret costs $0.40/month.
API Call Pricing
| Operation | Cost |
|---|---|
| GetSecretValue | $0.05/10,000 calls |
| DescribeSecret | $0.05/10,000 calls |
| PutSecretValue | $0.05/10,000 calls |
| ListSecrets | $0.05/10,000 calls |
| All other API calls | $0.05/10,000 calls |
Typical API Call Patterns
Every time your application retrieves a secret, it generates a GetSecretValue API call. Microservices that restart frequently or do not cache secrets can generate high API volumes.
| Application Pattern | Monthly API Calls | API Cost |
|---|---|---|
| Single app, cached secrets | 1,000 | $0.005 |
| 10 microservices, restart daily | 300,000 | $1.50 |
| 100 microservices, no caching | 5,000,000 | $25.00 |
| Lambda (per invocation fetch) | 50,000,000 | $250.00 |
Lambda functions that fetch secrets on every invocation without caching can generate enormous API volumes. Use the AWS Parameters and Secrets Lambda Extension to cache secrets in memory between invocations, reducing API calls by 95%+.
Secret Rotation Costs
| Component | Direct Cost |
|---|---|
| Rotation Configuration | Free |
| Rotation Lambda Function | Standard Lambda pricing |
| API Calls During Rotation | $0.05/10,000 |
Secrets Manager includes built-in rotation support for RDS databases (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB), Redshift, and DocumentDB. Rotation uses a Lambda function that Secrets Manager creates and manages. Each rotation invocation costs approximately $0.0000002 in Lambda charges.
Custom rotation for non-AWS services requires you to write and maintain the Lambda function. The rotation function typically runs every 30-90 days, making Lambda costs negligible (under $0.01/month even with hundreds of secrets).
Secrets Manager vs SSM Parameter Store
| Feature | Secrets Manager | SSM Parameter Store (Standard) | SSM Parameter Store (Advanced) |
|---|---|---|---|
| Per-secret cost | $0.40/month | Free | $0.05/month |
| API cost | $0.05/10K calls | Free (under 10K/sec) | $0.05/10K calls |
| Max size | 64 KB | 4 KB | 8 KB |
| Automatic rotation | Built-in | Not available | Not available |
| Cross-region replication | Built-in | Not available | Not available |
| Versioning | Automatic | Manual (labels) | Manual (labels) |
| KMS encryption | Always encrypted | Optional | Always encrypted |
When to Use Each
Use Secrets Manager for:
- Database credentials that need automatic rotation
- API keys shared across multiple AWS accounts
- Secrets requiring cross-region replication for disaster recovery
- Compliance requirements mandating rotation audit trails
Use SSM Parameter Store for:
- Application configuration values (feature flags, URLs, thresholds)
- Non-sensitive parameters that do not need rotation
- Cost-sensitive environments where $0.40/secret/month adds up
- Parameters under 4 KB (covers most configuration values)
A practical strategy is to store rotating credentials in Secrets Manager and everything else in SSM Parameter Store. An application with 5 database credentials and 50 configuration values costs $2.00/month with this approach vs $22.00/month storing everything in Secrets Manager.
Cost Examples
| Scenario | Secrets | API Calls/mo | Monthly Cost |
|---|---|---|---|
| Startup (5 services) | 15 | 100,000 | $6.50 |
| Mid-size (25 services) | 75 | 1,000,000 | $35.00 |
| Enterprise (200 services) | 500 | 10,000,000 | $250.00 |
| Enterprise (mixed with SSM) | 50 SM + 450 SSM | 10,000,000 | $70.00 |
The enterprise example shows how combining Secrets Manager with SSM Parameter Store reduces costs by 72%.
Cost Optimization Strategies
-
Consolidate related secrets into JSON objects. Store database host, port, username, and password as a single JSON secret instead of four separate secrets. This reduces per-secret charges by 75% for grouped credentials.
-
Cache secrets in your application. Use the AWS SDK caching client or the Lambda extension to cache secrets locally. A TTL of 5-15 minutes reduces API calls by 90-99% with minimal security trade-off.
-
Use SSM Parameter Store for non-rotating values. Configuration values, feature flags, and endpoint URLs do not need Secrets Manager's rotation capabilities. SSM Parameter Store Standard tier is free for both storage and API calls.
-
Delete unused secrets. Secrets from decommissioned services, old database connections, or deprecated API integrations continue to incur $0.40/month each. Audit secrets quarterly and delete any that are no longer referenced.
-
Avoid per-invocation secret fetching in Lambda. Without caching, a Lambda function processing 1 million invocations per month generates 1 million API calls ($5.00) just for secret retrieval. The Lambda extension caches secrets across warm invocations, cutting this to under $0.10.
-
Use resource policies instead of replica secrets. Cross-account secret sharing via resource policies avoids the $0.40/month per-replica cost of cross-region replication when you only need cross-account access within the same region.
Related Guides
FAQ
Does Secrets Manager have a free tier?
Secrets Manager offers a 30-day free trial for each new secret. After the trial, each secret costs $0.40/month. There is no permanent free tier. For a permanent free option, use SSM Parameter Store Standard tier for non-sensitive configuration values.
How much does secret rotation cost?
Rotation itself is nearly free. The Lambda function that performs rotation costs fractions of a cent per execution, and the API calls during rotation are negligible. The primary cost is the $0.40/month per-secret storage charge, not the rotation process.
Can I reduce costs by storing multiple credentials in one secret?
Yes. Storing a JSON object with multiple key-value pairs in a single secret is a best practice. A single secret containing 10 API keys costs $0.40/month vs $4.00/month for 10 separate secrets. The trade-off is that all values in a single secret share the same rotation schedule and access policy.
Lower Your Secrets Manager Costs with Wring
Wring helps you access AWS credits and volume discounts to lower your Secrets Manager costs. Through group buying power, Wring negotiates better rates so you pay less per secret and API call.
