Secrets Manager pricing: what to model (secrets + API calls)

Start with a calculator if you need a first-pass estimate, then use this guide to validate the assumptions and catch the billing traps.

Use this page when you need to decide what belongs inside the Secrets Manager bill before you debate caching strategy or request reduction. This is the Secrets Manager bill-boundary page.

Stay here when the question is secret-months, API requests, runtime fetch behavior, and adjacent rotation-side costs. Go back to the security parent page if the wider security system budget is still unclear.

This guide is about bill boundaries: secret-months, Secrets Manager API requests, and the adjacent rotation, Lambda, and incident-side costs that should be tracked beside Secrets Manager rather than blended into it.

Inside the Secrets Manager bill vs beside the Secrets Manager bill

• Inside the Secrets Manager bill: secret-month baseline and Secrets Manager API requests.
• Beside the Secrets Manager bill: rotation helpers, downstream Lambda, database reconnect storms, and other incident-side effects that may explain spend but are not core Secrets Manager line items.
• Why this distinction matters: teams often try to optimize request volume before they have separated the actual Secrets Manager bill from the systems around it.

What to include in the cost model

• Secret-month baseline: number of active secrets × months (split by prod vs non-prod).
• API calls/month: Secrets Manager requests once you have measured or defended the request model.
• Bill ownership: whether request spikes truly belong to Secrets Manager or to an adjacent runtime or incident pattern.

Tool: Secrets Manager cost calculator

Step 1: inventory secrets (secret-months)

• Count secrets by environment (prod/stage/dev) and by account/region.
• Identify “secret sprawl” patterns: secret-per-service, secret-per-tenant, secret-per-env.
• Decide what should be a secret vs config (don’t store low-sensitivity config as secrets by default).

Step 2: scope the request line item without doing the full estimate here

• Per-start fetch: request volume usually scales with workload starts and cache refreshes.
• Per-request fetch: request volume scales with traffic and often belongs in the estimate and optimization workflow, not the pricing checklist.
• Peak/incident behavior: retries and restart storms should be captured as a separate measured scenario.

Workflow: estimate Secrets Manager API calls

What usually creates surprise bills at the bill-boundary level

• Secret sprawl: too many duplicated or low-value secrets keep the baseline higher than expected.
• Request-led spikes: application fetch patterns turn the request line item into the main driver.
• Rotation-side confusion: Lambda rotation helpers or downstream retries are sometimes misread as pure Secrets Manager spend.
• Incident-side effects: outages and restarts may explain the spike, but they should not be merged blindly into the core bill model.

When this is not the right page

• You still need the wider security diagnosis: go back to security costs if you have not yet separated WAF, KMS, secrets, and audit logging as distinct cost surfaces.
• You still need the request evidence: go to Estimate API calls if the real problem is turning starts, CloudTrail, cache refreshes, and retries into a defendable request model.
• You already know the cost driver: go to Secrets Manager cost optimization if the real question is what to change in production.

How to validate the bill model

• In billing, confirm whether request charges dominate secret-month baseline.
• Confirm whether the highest monthly cost comes from inventory size, request volume, or adjacent rotation-side systems.
• Use the estimate workflow if the request side is still based on assumptions rather than evidence.
• Re-check deploy or incident windows before treating spikes as normal budget behavior.

Related guides and tools

Sources

• AWS Secrets Manager pricing
• AWS Secrets Manager User Guide
• Retrieving secrets (API usage context)

Related guides

Related calculators

FAQ