Secrets Manager vs Parameter Store cost: stop paying $0.40 for static secrets

Quick answer

Secrets Manager costs $0.40 per secret/month + $0.05 per 10k API calls; Parameter Store standard tier is free (advanced is $0.05 per parameter/month). Use Secrets Manager for secrets that need automatic rotation or cross-account sharing, and Parameter Store SecureString for everything else. Splitting them this way turns a hundreds-of-dollars secrets bill into a handful of rotating secrets that justify the fee.

These two services overlap enough that teams pick one by default and never revisit it — usually Secrets Manager for everything, because it has "secrets" in the name. At a handful of secrets that's fine. At hundreds, the $0.40-per-secret fee becomes a line item worth a second look, because most of those secrets don't use the features you're paying for.

The price difference

Secrets Manager: $0.40 per secret per month + $0.05 per 10,000 API calls. Includes managed rotation, versioning, resource policies, and cross-account access.
Parameter Store (standard): free — no per-parameter charge, up to 10,000 parameters, standard throughput. SecureString values use KMS (small per-request KMS charges).
Parameter Store (advanced): $0.05 per parameter per month for larger values (up to 8 KB) and higher throughput.

What the $0.40 actually buys

Secrets Manager's fee is for capabilities Parameter Store doesn't have natively:

Automatic rotation — built-in Lambda rotation for RDS, Redshift, and DocumentDB credentials, and custom rotation for others. This is the headline feature.
Cross-account sharing via resource policies.
Managed versioning and staging labels for safe rotation cutovers.

If a secret doesn't need any of these — a third-party API key, a config value, a static token — you're paying $0.40/month for storage you could get free.

The split that saves money

The pattern most cost-conscious teams land on:

Secrets Manager for secrets that genuinely rotate (database credentials) or need cross-account access. These justify the fee.
Parameter Store SecureString for everything else — API keys, config, static secrets — at standard-tier free.

An estate of 300 secrets all in Secrets Manager is $120/month just to store them. Move the 30 that actually rotate to Secrets Manager and the rest to Parameter Store, and that drops to $12 — for the same security posture.

Trim the API-call charges too

Secrets Manager bills $0.05 per 10,000 calls. A service that fetches its secret on every request instead of caching it at startup can rack up call charges. Cache fetched secrets in memory and refresh on rotation, not per request.

FAQ

How much does AWS Secrets Manager cost?

$0.40 per secret per month, plus $0.05 per 10,000 API calls. Ten secrets fetched normally is $4/month plus call charges. The per-secret fee is the part that adds up — a microservices estate with hundreds of secrets pays hundreds of dollars a month just to store them.

Is Parameter Store free?

Standard-tier parameters are free: no per-parameter charge and standard throughput, up to 10,000 parameters per account. Advanced-tier parameters cost $0.05 per parameter per month and allow larger values and higher throughput. SecureString parameters use KMS, which has its own small charges.

When is Secrets Manager worth the cost over Parameter Store?

When you need built-in automatic rotation (especially for RDS/Redshift/DocumentDB credentials), cross-account secret sharing, resource policies, or larger secrets with managed versioning. Those features are what you're paying the $0.40/secret for — Parameter Store doesn't offer native rotation.

Can I use Parameter Store for secrets?

Yes. SecureString parameters encrypt values with KMS and are a legitimate, near-free way to store secrets that don't need automatic rotation or cross-account sharing. Many teams keep config and static secrets in Parameter Store and reserve Secrets Manager for rotating database credentials.

How do I reduce secrets-related costs?

Keep static config and non-rotating secrets in Parameter Store standard tier (free), reserve Secrets Manager for secrets that need rotation or cross-account access, consolidate related values into a single secret instead of many, and cache fetched secrets in your app to cut API-call charges.

How does C3X estimate this?

C3X prices an aws_secretsmanager_secret at the per-secret monthly fee and treats API calls as usage-driven, so a large estate of secrets shows its monthly cost — and the savings from moving non-rotating ones to Parameter Store become obvious.

What to do next

The per-secret fee is easy to overlook because each secret is cheap — it's the count that gets you. C3X prices every aws_secretsmanager_secret in your Terraform, so a large estate's monthly storage cost is visible and the case for moving non-rotating secrets to Parameter Store is quantified. The quickstart runs it across your stack in minutes.