AWSAWS Secrets ManagerSecurity

`aws_secretsmanager_secret` cost estimation

A managed secret with versioning, rotation, and IAM-controlled access. Flat $0.40/month per secret plus per-API-call charges.

An aws_secretsmanager_secret is a managed secret value (database password, API key, OAuth token, certificate, etc.) with automatic rotation, versioning, and cross-account access control.

Pricing is simple but adds up fast:

First, $0.40 per secret per month. Pro-rated by the hour. Deleted secrets continue billing until the recovery window expires (default 30 days).

Second, $0.05 per 10,000 API calls. GetSecretValue, DescribeSecret, ListSecrets all count. Most applications fetch a secret once at startup and cache it, so request charges are typically small.

Cross-region replication (via aws_secretsmanager_secret_replica) charges $0.40/month per region replicated to. Three-region replication costs $1.20/month per secret.

Compared to alternatives: - SSM Parameter Store Standard tier: free up to 10,000 parameters. No rotation. Right when you don't need rotation or cross-account access. - SSM Parameter Store Advanced tier: $0.05/parameter/month with higher value-size limits and parameter policies. Cheaper than Secrets Manager but no rotation. - Encrypted env vars or config files: free but no rotation, no audit logs, no centralized access control.

The case for Secrets Manager: automatic rotation (especially for RDS passwords), cross-account access, and detailed CloudTrail audit. The case against: cost piles up when you have hundreds of secrets across many environments.

c3x reads the secret count from declared aws_secretsmanager_secret resources. API call volume is usage-based via c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_secretsmanager_secret" "db_password" {
  name        = "production/db/master-password"
  description = "Master password for production database"

  recovery_window_in_days = 7

  tags = {
    Environment = "production"
  }
}

resource "aws_secretsmanager_secret_version" "db_password" {
  secret_id     = aws_secretsmanager_secret.db_password.id
  secret_string = jsonencode({
    username = "app"
    password = var.db_password
  })
}

Pricing dimensions

What you actually pay for when you provision aws_secretsmanager_secret.

Dimension	Unit	What's being charged
Secret	per secret per month	Flat fee for each secret. Pro-rated by hour. Pending-deletion secrets still bill until the recovery window expires. $0.40/month per secret
API calls	per 10,000 requests	GetSecretValue, PutSecretValue, ListSecrets, etc. Typically small for cached applications. $0.05/10,000 requests
Cross-region replicas	per replica per month	Each region the secret is replicated to is billed as if it were a separate secret. $0.40/month per replica region
Rotation	Lambda compute	Rotation is performed by a Lambda function. The Lambda's compute cost (typically negligible) is billed separately as aws_lambda_function.

Optimization tips

Common ways to reduce aws_secretsmanager_secret cost without changing the workload.

Use SSM Parameter Store for non-rotating config

$0.40 per migrated secret per month

Standard tier Parameter Store is free up to 10,000 parameters. If you don't need rotation, audit logging, or cross-account access, Parameter Store is the right choice.

Set short recovery_window_in_days for deleted secrets

Up to 23 days of $0.40/secret

Default is 30 days; minimum is 7. Set deletion_window_in_days = 7 to stop billing sooner for confirmed-unused secrets.

Consolidate related secrets into one JSON value

$0.40 per consolidated secret

One secret can hold a JSON document (username + password + URL + port). Stop using one secret per field; consolidate logically related credentials.

Audit and remove orphaned secrets

$0.40/month per removed

Old test secrets, decommissioned service secrets, and rotation-test artifacts can linger forever. Periodically list all secrets and delete what's no longer used.

FAQ

Why does my Secrets Manager bill keep growing?

Three common causes: secrets created per environment (one per dev/staging/prod), per-field secrets (separate secret for username and password), and never-cleaned-up test secrets. Each is $0.40/month. A team with hundreds of secrets across services and environments easily hits $200+/month.

Can c3x estimate the rotation Lambda?

Yes if the rotation Lambda is declared as a separate aws_lambda_function resource. Rotations are typically infrequent (every 30-90 days) so the Lambda cost is usually negligible.

What's the difference vs SSM Parameter Store?

Parameter Store Standard is free up to 10K params, no rotation, basic IAM. Parameter Store Advanced is $0.05/param/month with parameter policies but still no built-in rotation. Secrets Manager has automatic rotation, cross-account access, and dedicated KMS keys. Pick by feature need.

Does the KMS key cost extra?

If you use the AWS-managed key (aws/secretsmanager), no. If you use a customer-managed KMS key, yes — $1/month per CMK plus the GenerateDataKey operations Secrets Manager performs.