Operations Management

Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and Encryption

Learn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.

約 3 分で読めます

Overview of Parameter Store

Parameter Store is a key-value store for managing configuration data and secrets in a hierarchical structure. While Secrets Manager specializes in automatic rotation of database credentials, Parameter Store manages both general application settings (feature flags, endpoint URLs, thresholds) and secrets. Standard parameters are free, with a limit of up to 10,000 per account.

Hierarchical Structure and Choosing Between Secrets Manager

Use path separators (/) in parameter names to build a hierarchical structure. Organize parameters by environment and component, such as /myapp/prod/db/host and /myapp/prod/db/password, and use GetParametersByPath to retrieve all parameters under a specific path at once. For choosing between Secrets Manager and Parameter Store: use Secrets Manager for database credentials that require automatic rotation, and Parameter Store for all other configuration values and secrets. Parameter Store also supports Secrets Manager references (aws:secretsmanager:), allowing you to use both services in an integrated manner.

Integration with Lambda and ECS

To retrieve Parameter Store parameters from Lambda functions, use the AWS Parameters and Secrets Lambda Extension. The extension caches parameters locally, eliminating the need for an API call on every Lambda invocation. In ECS task definitions, reference Parameter Store parameters in the secrets section to inject them as container environment variables. SecureString parameters are encrypted with KMS, and decryption permissions are controlled through IAM policies. Parameter versioning tracks change history, enabling rollback to a previous version when issues arise. Parameter policies allow setting expiration dates and automatic notifications for expired parameters. To deepen your operational knowledge of configuration management, specialized books on Amazon are a useful resource.

Parameter Store Pricing

Standard parameters are free, with a limit of up to 10,000 parameters per account. Advanced parameters cost approximately $0.05 per parameter per month and support sizes up to 8 KB, parameter policies, and a limit of 100,000 parameters. API calls are free for Standard parameters, and approximately $0.05 per 10,000 requests for Advanced parameters with the higher throughput option. Compared to Secrets Manager ($0.40/secret/month), Parameter Store is more cost-effective for configuration values that do not require automatic rotation.

Summary

Parameter Store is a service for managing application settings and secrets in a hierarchical structure. The Lambda extension enables low-latency configuration retrieval through caching, and the ECS task definition secrets section provides secure injection into containers. Standard parameters are free for up to 10,000 entries, offering superior cost efficiency compared to Secrets Manager for configuration values that do not require automatic rotation.

Related Services

AWS Systems Manager Parameter StoreA hierarchical store for securely managing configuration data and secretsAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAWS LambdaA serverless compute service that runs code without server management

Related Articles

AWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.AWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account SharingLearn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

AWS Secrets ManagerA service for securely storing, retrieving, and automatically rotating secrets such as database passwords and API keys, eliminating hard-coded credentialsAWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.AWS Systems ManagerA service that centralizes operational management of EC2 instances and on-premises servers, enabling patch application, command execution, parameter management, and session connections securely without SSHAWS Secrets ManagerSecurely manage and automatically rotate database passwords and API keys