When there are deployments across environments, it is not safe from a security standpoint to store critical information like DB passwords, connection string etc. in version control with limited access. Some use vaults to store the values which is difficult to maintain and in worst scenarios they hardcode the values in their code which is stored in their versioning system. This is not at all the good practice as it might broaden your security gaps.
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store your configuration values such as password, database credentials etc. and that too at no extra cost.
You can store 3 different types of data:
- String List
- Secure String
Let’s focus on Secure String in this blog as this is stored as encrypted values with the help of KMS and see how we can store and retrieve the keys. Parameter Store supports hierarchies. What it means is that the keys are stored in a more structured way. Let’s understand it with the help of an example:
Suppose you want to store the key named ‘abc’ for the application named ‘TestApp’ and Production environment.
We will be storing it as:
You can add the keys either via AWS console or you can also create it programmatically using API/SDK/CLI.
To add keys through AWS SSM Console:
- Sign in to your AWS Console and select an appropriate region.
- Under Services, click on Systems Manager.
- On the left side pane, scroll all the way down and click on the Parameter Store.
- Click on Create Parameter.
- Enter the Name of the keys you want to store. Example /Prod/TestApp/abc
- Enter the Description(Optional)
- Select Secure String. Under KMS key source select My current account if you want to use the KMS key present in your account.
- From the drop-down list select the KMS Key ID you want to use to encrypt the values.
- Enter the Value which you need to store and click on the Create Parameter.
To access these values in your application one can use AWS API/SDK/CLI or you can just view it on the Console. As an example, how you can retrieve it using AWS CLI command.
aws --region=us-east-1 ssm get-parameters --names "/Prod/TestApp/abc " --with-decryption
This will return the decrypted value. The user or role who runs this command should have access to use the KMS key in order to successfully execute this command.
More information can be found at :