- Newest
- Most votes
- Most comments
Hello.
Then, what is the point of storing parameters in parameter store?
By using AWS Systems Manager Parameter Store, Parameters used in the system can be centrally managed.
It has the advantage of being able to retrieve parameters within a hierarchy in bulk and allowing access permissions to the hierarchy using IAM policies.
Utilizing these makes it easier to properly manage privileges even when operating multiple environments with one account.
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-hierarchies.html
Hello AKMin ,
- You're absolutely right about the vulnerability of storing configs directly on EC2 instances. Anyone with access can see them. However, AWS Parameter Store offers a solution, and you're on the right track regarding secure storage and retrieval.
- Encryption: Parameter Store encrypts secrets using AWS Key Management Service (KMS) keys. Even if someone gains access to the instance, they cannot decrypt the secrets without the KMS key.
- Least Privilege: IAM roles define what an instance can do in your AWS account. You can create a role with specific permissions to access the required Parameter Store paths, restricting unnecessary access.
AWS Systems Manager Parameter Store: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
How AWS Systems Manager Parameter Store uses AWS KMS: https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
Simple Secrets Management via AWS' EC2 Parameter Store: https://medium.com/cloud-security/aws-secrets-manager-vs-ssm-parameter-store-a765fe09f5f0
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 20 days ago
Got it. However, is it true that anyone with access to the EC2 instance can retrieve the parameters (e.g. by using AWS CLI tool on the instance)?
Yes, you will be able to access it since you will be using an EC2 IAM role to access the parameter store.