- API Penetration Testing
VAULT comparison №6

Hashicorp vs AWS SM

Secrets management space has two distinct kinds - cloud-based and universal, for instance - Hashicorp and AWS Secrets Manager.

Surely we can compare these two when we cover AWS infrastructure with our applications running on top and secrets spread across.
Which solution is better?
Deployment and setup
There is massive evidence regarding Hashicorp - it's difficult to implement when using Open Source edition, especially when you need to deliver High Availavility and Disaster Recovery capabilities. Enterprise edition is much easier to implement and manage - including HA and DR capabilities.

AWS Secrets Manager is a winner here, it is managed using AWS management interfaces and is really straightforward to implement. HA and DR are basically built-in there.
Scalability and flexibility
Hashicorp Vault has immense number of plug-ins and operators aiming at support nearly all tech - both on-premise and AWS.

AWS Secrets Manager scales effortlessly since AWS takes care of it but do has less features than Hashicorp and supports less number of use cases, particularly multi-cloud and hybrid cloud use cases.
Hashicorp and AWS Secrets Manager:
Key Differences
While Hashicorp has a free (Open Source) edition, its Enterprise edition can be priced hugely. AWS Secrets Manager utilizes different pricing model since it is a SaaS solution.

Keep in mind the difference in Hashicorp Vault and AWS Secrets Manager pricing models - that means that your spending would change over time with different magnitudes.
AWS Secrets Manager is a perfect choice if you're launching your start-up or have small number of secrets to manage but tight regulations - PCI DSS, HYTRUST, ISO 27001 and others.

Hashicorp can be wiser choice if you need multi-cloud or hybrid cloud options or will need to manage thousands of secrets.

Each option solves a secrets management problem but bring a new problem - you'd have to implement and maintain it. If you consider getting help with this - check out our DevSecOps as a Service.

If you are not ready to consider the implementation of a tool - you can check out our Kubernetes Penetration Testing Service. Team