AWS Secrets Manager Pricing: Real Costs + When It Gets Expensive (2026)
AWS Secrets Manager pricing explained: $0.40 per secret/month, $0.05 per 10K API calls, replica and rotation costs, worked examples, and honest alternatives.
AWS Secrets Manager Pricing: Real Costs + When It Gets Expensive (2026)
AWS Secrets Manager pricing looks almost too simple: $0.40 per secret per month and $0.05 per 10,000 API calls. Two numbers. No tiers, no seats, no contracts.
And for a handful of secrets, it really is that cheap. The problem is that nobody runs "a handful of secrets." You run 40 secrets per service, times three environments, times two regions, and suddenly that $0.40 line item is a four-figure annual bill that nobody budgeted for — because each individual secret looked like pocket change.
This guide breaks down how AWS Secrets Manager pricing actually works, where the bill comes from, worked cost examples at realistic scales, how it compares to the (mostly free) Parameter Store, and when an alternative makes more sense. All AWS numbers below are current as of June 2026 — pricing changes, so confirm against AWS's official pricing page before budgeting.
One disclosure up front: we build EnvManager, a secrets manager that overlaps with Secrets Manager for some use cases (and integrates with it for others). We'll tell you honestly where AWS is the right answer anyway.
How AWS Secrets Manager Pricing Works
There are only two billable dimensions, but several things feed into each one:
| What you pay for | Price (as of June 2026) | Notes |
|---|---|---|
| Secret storage | $0.40 per secret, per month | Prorated for partial months. Secrets pending deletion aren't charged. |
| API calls | $0.05 per 10,000 calls | Every GetSecretValue, PutSecretValue, DescribeSecret, etc. |
| Replica secrets | $0.40 per replica, per region, per month | Each cross-region replica is billed as a separate secret. |
| Rotation | No separate charge | New versions created by rotation are free — but the Lambda function that performs rotation bills normally, and rotation generates API calls. |
A few details that matter:
- Every version of a secret counts as one secret. You're not charged extra for keeping version history or for rotation creating new versions.
- Replicas multiply storage cost. One secret replicated to two additional regions costs $1.20/month, not $0.40 — each replica is billed as a distinct secret.
- API calls are usually the small line item — until you have high-frequency polling, autoscaling fleets fetching secrets on every cold start, or CI pipelines hammering
GetSecretValuehundreds of times per run. - Free trial: AWS historically offered a 30-day free trial for Secrets Manager. For accounts created after July 15, 2025, AWS moved to a credit model instead — new customers get up to $200 in credits usable across eligible services. Either way, there is no permanent free tier for Secrets Manager. Every secret costs $0.40/month forever.
Worked Cost Examples
Abstract per-unit prices hide the real bill. Here's what actual teams pay.
Example 1: Small SaaS team — 50 secrets × 3 environments
A typical small product: one app, a few services, secrets for the database, Stripe, SendGrid, OAuth providers, and internal API keys. Fifty distinct secrets, duplicated across dev, staging, and production (as they should be — see our secrets management best practices guide).
| Item | Math | Monthly cost |
|---|---|---|
| Storage | 150 secrets × $0.40 | $60.00 |
| API calls | ~500,000 calls × $0.05/10K | $2.50 |
| Total | ~$62.50/month ($750/year) |
Notice the shape of that bill: storage is 96% of it. The cost driver isn't usage — it's secret count, and secret count is multiplied by environment count.
Example 2: Mid-size platform — 200 secrets × 4 environments + multi-region
Forty microservices averaging five secrets each, across dev/staging/prod/preview, with 150 production secrets replicated to a second region for DR:
| Item | Math | Monthly cost |
|---|---|---|
| Storage | 800 secrets × $0.40 | $320.00 |
| Replicas | 150 replicas × $0.40 | $60.00 |
| API calls | ~3M calls × $0.05/10K | $15.00 |
| Total |
This is where teams start asking questions. Nothing here is unreasonable — it's a normal architecture — but $4,700/year for storing strings gets noticed in a cost review.
Example 3: Where it genuinely explodes — ephemeral secrets
AWS's own pricing examples include one worth quoting: a workload issuing millions of short-lived secrets (e.g., per-session or per-job tokens) — roughly 5 million secrets with hourly validity plus 10 million API calls — lands around $2,850/month. Because storage is prorated hourly, even secrets that live for one hour cost something, and at millions of secrets the proration math still adds up fast. If your design creates secrets programmatically at high volume, Secrets Manager's per-secret model is actively working against you.
The pattern
AWS Secrets Manager costs scale with secrets × environments × regions, not with team size or value delivered. Cheap at 20 secrets, noticeable at 200, painful at 2,000. AWS's own published examples reflect this: large environments with ~10,000 secrets run upwards of $4,000/month.
Parameter Store vs Secrets Manager
The first question any cost-conscious AWS team should ask: do these even need to be in Secrets Manager? AWS Systems Manager Parameter Store stores key-value configuration — including encrypted SecureString values — and its standard tier is free.
| Parameter Store (Standard) | Parameter Store (Advanced) | Secrets Manager | |
|---|---|---|---|
| Storage cost | Free | $0.05/parameter/month | $0.40/secret/month |
| API calls | Free (standard throughput) | $0.05/10K (higher throughput) | $0.05/10K |
| Value size | 4 KB | 8 KB | 64 KB |
| Built-in rotation | No (DIY via Lambda/EventBridge) | No (DIY) | Yes (managed rotation) |
| Cross-region replication | No (DIY) | No (DIY) | Yes, built in |
| Cross-account access | Limited | Limited | Yes (resource policies) |
| RDS/Redshift credential integration | No | No | Yes |
(Size limits and tier capabilities per AWS documentation, as of June 2026 — check AWS's Systems Manager pricing page for current numbers.)
The honest guidance:
- Use Parameter Store (free) for: feature flags, non-secret config, and even encrypted values that never need rotation, replication, or cross-account sharing.
SecureStringwith KMS encryption is genuinely fine for many "secrets." - Use Secrets Manager for: database credentials that need automatic rotation, secrets shared across AWS accounts, and anything requiring cross-region replication.
Many teams pay $0.40/month per secret for hundreds of values that would work identically in Parameter Store at $0.00. That's the single biggest, easiest AWS secrets cost optimization there is — and it's also a 2026 best practice straight from AWS's own guidance: match the storage tier to the actual requirement.
The Hidden Costs Nobody Budgets For
The pricing page covers storage and API calls. Your actual bill and effort include more:
- KMS keys. Encryption with the AWS-managed key (
aws/secretsmanager) is free, but if compliance requires customer-managed KMS keys, each key is ~$1/month plus $0.03 per 10,000 KMS requests — and every secret retrieval triggers a decrypt call. - Rotation Lambdas. Rotation itself is free, but you're running (and maintaining) Lambda functions for it. The compute cost is negligible; the engineering cost of writing and debugging custom rotation functions for non-RDS secrets is not.
- VPC endpoints. If your workloads access Secrets Manager from private subnets without a NAT gateway, you'll want a PrivateLink interface endpoint — roughly $0.01/hour per AZ (~$7–22/month depending on AZ count) plus data processing.
- CloudTrail and monitoring. Auditing secret access at scale means CloudTrail data events, log storage, and alerting — all billed separately.
- The environment-count multiplier. This is the one that bites everyone. Following best practice (separate secrets per environment) triples or quadruples your secret count. AWS charges you for doing the right thing.
- Developer experience overhead. Secrets Manager has no native
.envworkflow, no UI built for "give the frontend dev read access to staging only," and local development typically means custom scripts wrapping the AWS CLI. Teams either build tooling around it or run something like External Secrets Operator to bridge it into Kubernetes — both of which cost engineering time.
None of these are gotchas, exactly. They're just the difference between the two-line pricing page and your actual invoice.
When AWS Secrets Manager Is Worth It
Honest assessment: if your stack is all-AWS and your secret count is modest, Secrets Manager is a good product at a fair price. Managed RDS credential rotation alone justifies it for database secrets. IAM-native access control, CloudTrail auditing, and cross-region replication are exactly what AWS-centric platform teams need, with zero extra vendors.
It gets hard to justify when:
- Secret count is high and growing — the linear $0.40/secret pricing has no volume curve until you negotiate enterprise discounts.
- Your stack isn't AWS-only — if you deploy to Vercel, Railway, or bare VPS alongside AWS, Secrets Manager becomes one silo among several.
- Humans are the main consumers — Secrets Manager is built for machines reading secrets at runtime, not for teams managing configuration across environments day-to-day.
- Most of your "secrets" are really config — in which case Parameter Store or a purpose-built environment variable manager fits better.
AWS Secrets Manager Alternatives
A quick, honest landscape (deeper comparison in our best secrets management tools guide):
| Tool | Pricing model | Best for | Trade-off |
|---|---|---|---|
| AWS Parameter Store | Standard tier free; Advanced $0.05/param/month | AWS-only config and non-rotating secrets | No managed rotation or replication; DIY tooling |
| HashiCorp Vault | Free Community Edition (self-hosted); HCP/Enterprise paid | Large orgs needing dynamic secrets, PKI, multi-cloud | Heavy operational burden; enterprise pricing is quote-only — see our Vault pricing breakdown |
| Doppler | Free developer tier; paid plans priced per seat | Teams wanting polished multi-cloud secrets UX | Per-seat pricing scales with headcount |
| Infisical | Open-source self-hosted core; cloud plans per seat | Teams wanting open source with a managed option | Self-hosting shifts cost to ops; cloud is per-seat |
| EnvManager | No free plan; 14-day trial, then flat $9/month for the whole team | Teams managing env vars/secrets across mixed stacks | Not built for high-volume machine-to-machine dynamic secrets — Vault and AWS are stronger there |
Where EnvManager fits, stated plainly: it's an environment variable and secrets manager built around the workflows Secrets Manager handles awkwardly — client-side AES-256-GCM encryption (secrets are encrypted before they leave your browser), a CLI with real-time sync for local development, .env import/export, role-based access control, and audit logs. It syncs natively to GitHub Actions, Vercel, Railway, Render, Dokploy, Coolify — and to AWS Secrets Manager and GCP Secret Manager themselves, so it can sit in front of AWS rather than replace it.
The pricing model is the deliberate opposite of per-secret billing: a flat $9/month ($7.50/month billed annually) for the whole team — unlimited members, no per-seat fees, no per-secret fees. There's no free plan; there's a 14-day free trial with no credit card required. An Enterprise tier adds SAML SSO and self-hosting. For the 150-secret team in Example 1 paying AWS ~$62/month, the math is straightforward — but if you need managed RDS rotation inside AWS, keep Secrets Manager for those specific secrets and don't let anyone tell you otherwise.
How to Choose
- All-AWS, machine-consumed secrets, need rotation → AWS Secrets Manager. Pay the $0.40 — it's worth it for what it does.
- All-AWS, but mostly static config → Parameter Store Standard, for free. Audit your Secrets Manager usage and migrate what doesn't need rotation.
- Multi-cloud at enterprise scale, dynamic secrets, PKI → HashiCorp Vault, if you have the platform team to run it.
- Mixed stack (AWS + Vercel/Railway/VPS), team-centric workflows, predictable cost → a dedicated tool like Doppler, Infisical, or EnvManager.
- Kubernetes consuming cloud secrets → keep your store and bridge it with External Secrets Operator.
If you want to see whether flat-rate pricing and a sane .env workflow fit your team, start a free 14-day EnvManager trial — no credit card, and your AWS secrets can stay exactly where they are via the integration.
FAQ
How much does AWS Secrets Manager cost?
AWS Secrets Manager costs $0.40 per secret per month plus $0.05 per 10,000 API calls (as of June 2026). Storage is prorated for partial months, and each cross-region replica is billed as an additional secret at $0.40/month. A team with 150 secrets across three environments pays roughly $60–65/month.
Is AWS Secrets Manager free?
No. There is no permanent free tier — every stored secret costs $0.40/month. AWS previously offered a 30-day free trial; accounts created after July 15, 2025 instead receive up to $200 in general AWS credits that can be applied to Secrets Manager.
Is Parameter Store cheaper than Secrets Manager?
Yes, significantly. Parameter Store's standard tier is free, including encrypted SecureString parameters (up to 4 KB). Advanced parameters cost $0.05/month — still 8× cheaper than Secrets Manager. The trade-off: no managed rotation, no cross-region replication, and weaker cross-account sharing.
Why is my AWS Secrets Manager bill so high?
Almost always secret count: secrets multiply across environments and regions (replicas are billed as separate secrets), and high-frequency GetSecretValue polling from autoscaling fleets or CI pipelines inflates API charges. Common fixes: move non-rotating config to Parameter Store, cache secret values in your application instead of fetching per request, and delete unused secrets — those pending deletion aren't billed.
What is the best alternative to AWS Secrets Manager?
It depends on what's driving you away. For cost on AWS-only stacks: Parameter Store. For enterprise multi-cloud dynamic secrets: HashiCorp Vault. For team-centric environment variable management across mixed stacks at a flat price: EnvManager ($9/month for the whole team, with native AWS Secrets Manager sync). Doppler and Infisical are also solid per-seat options.
Pricing verified against AWS's official pricing pages as of June 12, 2026. AWS pricing varies slightly by region and changes over time — always confirm before budgeting.