Rotating SSM Parameter Store secrets
Hi, I am assessing the effort to implement lifecycle management capabilities for SSM parameter store.
A set of lambdas read parameters from SSM, but some constraints now requires that secrets should be rotated.
I am aware that you can combine both SSM Parameter Store and AwS Secrets Managers, but I would like to avoid that:
I am aware that aws secrets managers supports rotation natively, so my question is, is there a resilience approach documented about rotating SSM parameter store secrets, or would just be wiser to refactor the application and use secrets managers instead?
- Newest
- Most votes
- Most comments
As you mentioned in your message, while AWS Secrets Manager has native support for secret rotation, SSM Parameter Store does not directly support this.
What I would recommend instead for this scenario is Referencing AWS Secrets Manager secrets from Parameter Store parameters. That way you don't have to fully refactor the applications and you can take advantage of the secrets manager secret rotation functionality.
You could also implement a custom solution if you wish to avoid using AWS Secrets Manager altogether. However, implementing and maintaining this custom rotation process could add complexity to your architecture. AWS Secrets Manager provides this functionality out-of-the-box and is integrated with many AWS services, which can simplify your architecture and potentially reduce maintenance effort. It's also worth noting that Secrets Manager can automatically handle some scenarios that might be challenging with a custom solution, such as handling secrets that are in use during rotation.
Relevant content
- asked 2 years ago
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 9 months ago
Thanks, having both seems a bit towards doubling the cost potentially, but I agree that custom could become problematic. Hinting towards refactoring and use only secrets manager.