#aws #secrets manager #systems manager
Welcome to day 19 of the unofficial AWS Cost Optimisation Advent Calendar 2024, where every day we will be sharing new tips or tricks to help you optimise your cloud costs before Christmas 2024.
Today we are going to talk about Secrets Manager.
Secrets are a crucial part of any application, and AWS Secrets Manager is a great tool to manage, retrieve, and rotate your secrets. However, it is also often the most expensive way of managing secrets in AWS.
Here are a few tips to help you optimise your costs when using Secrets Manager.
AWS Secrets Manager has two main costs:
At the time of writing, the cost per secret stored is $0.40 per month. It doesn't sound like a lot but if you have many secrets, this can quickly add up.
The cost per 10,000 API calls is $0.05. An API call is counted every time you retrieve a secret, rotate a secret, or perform any other action on a secret.
To see how much you are spending on Secrets Manager you can use the AWS Cost Explorer and select "Service" as the filter and "Secrets Manager".
Simply put, the two main reasons for high costs are:
The first thing you should do is to review what is in Secrets Manager and make sure they are actually secrets and it's not being used as a general key value store.
The second thing you need to consider is why the secret is actually in Secrets Manager.
AWS provides an alternative to Secrets Manager which is just as secure in the form of SSM Parameter Store.
SSM Parameter Store is free to use and can store secrets in a secure way just like Secrets Manager. The main difference is that it doesn't have the same level of automation and integration as Secrets Manager.
Secrets are encrypted in SSM Parameter Store and access can be restricted using IAM policies in the same way Secrets Manager secrets are.
So when should you use Secrets Manager over SSM Parameter Store?
In most other cases you are probably better off using SSM Parameter Store and saving the cost.
The second reason for high costs is too many API calls. This can be caused by oversight on application design or by a misconfigured application.
For example, if you have a web application that interacts with the database, and on every request by the user it retrieves the database password from Secrets Manager this is going to quickly add up.
A common approach to avoid this problem is to fetch the secret once and keep it in memory for re-use on the next request.
So if you find you are hitting the API call limit on Secrets Manager it is worth spending some time understanding how Secrets Manager is being called and whether you can reduce the API calls.
Sometimes high API calls are unavoidable and in this case you need to consider the trade off of cost vs convenience of having the features of Secrets Manager.
You may decide that scheduled tasks such as manual rotation of secrets is better for the organisation if Secrets Manager costs are exploding.
Secrets Manager is a great tool for managing secrets in AWS but it comes at a price which is worth considering when designing your application.
Make sure you are not overpaying to keep your secrets safe and that you are definitely benefiting from the extra features Secrets Manager is providing to make it worth the cost.
We hope you found this tip useful and we will be back tomorrow with another tip.
To be the first to know when the next edition is published, follow us on LinkedIn, X, BlueSky or subscribe to the RSS feed.
Join our newsletter for Cost Optimization tips and tricks
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.