How to make use of parameter store?

0

Hi there,

Currently, I am storing application configs(e.g. DB username) on the EC2 instance. I would like to stop anyone with access to the EC2 instance from being able to access these configs. But the thing is if someone can access my instance, they can just easily retrieve values from the parameter store. Then, what is the point of storing parameters in parameter store? Or am I missing something?

I want to store the parameters in the parameter store securely and retrieve them for use in other scripts (maybe, by storing them in the environment variables) on the EC2 instance.

Thanks in advance.

AKMin
asked 3 months ago250 views
2 Answers
3

Hello.

Then, what is the point of storing parameters in parameter store?

By using AWS Systems Manager Parameter Store, Parameters used in the system can be centrally managed.
It has the advantage of being able to retrieve parameters within a hierarchy in bulk and allowing access permissions to the hierarchy using IAM policies.
Utilizing these makes it easier to properly manage privileges even when operating multiple environments with one account.
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-hierarchies.html

profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago
  • Got it. However, is it true that anyone with access to the EC2 instance can retrieve the parameters (e.g. by using AWS CLI tool on the instance)?

  • Yes, you will be able to access it since you will be using an EC2 IAM role to access the parameter store.

0

Hello AKMin ,

  • You're absolutely right about the vulnerability of storing configs directly on EC2 instances. Anyone with access can see them. However, AWS Parameter Store offers a solution, and you're on the right track regarding secure storage and retrieval.
  • Encryption: Parameter Store encrypts secrets using AWS Key Management Service (KMS) keys. Even if someone gains access to the instance, they cannot decrypt the secrets without the KMS key.
  • Least Privilege: IAM roles define what an instance can do in your AWS account. You can create a role with specific permissions to access the required Parameter Store paths, restricting unnecessary access.

AWS Systems Manager Parameter Store: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

How AWS Systems Manager Parameter Store uses AWS KMS: https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html

Simple Secrets Management via AWS' EC2 Parameter Store: https://medium.com/cloud-security/aws-secrets-manager-vs-ssm-parameter-store-a765fe09f5f0

profile picture
EXPERT
Sandeep
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions