Storing Secure Configuration Data with AWS Parameter Store: A Step-by-Step Tutorial
Amazon Web Services (AWS) Parameter Store is a service that enables you to store, retrieve, and manage configuration data for your AWS resources and applications. It allows you to store data such as passwords, database connection strings, and API keys in a secure, centralized location, making it easy to access and manage it from a single location.
Use case of Parameter Store
- You can manage your secret credentials without the need to manage servers with this secured and serverless scalable service.
- It improves your application security by separating your code and credentials.
- Easy to manage and plan your secrets by storing them in a tree-like hierarchy with all data encrypted.
- Have full control and security at a granular level and can also give access and have a record of change and use.
- It is hosted in multiple zones in AWS Regions, therefore it also gives you more reliability/durability.
Problems with saving your secret configuration in .env files or Lambda-Environment-Variables
- Credentials are always stored in plain text format in .env files and that is a threat to security because sometimes we need our keys and values to be encrypted.
- Anyone who has access to the code and needs only some specific keys should have access to only them, but in .env files all credentials can be read by everyone.
- There is no record of change in the credentials and no record of who changed them.
- If there is an even single change in one credential, then they also have to be changed in every branch and that reduces the productivity of developers and increases the project delivery time.
- Humans are managing .env files so there is a chance of human error.
- Sometimes these .env files can also be exposed to the public by mistake.
- Anyone who is deploying our code has access to all Lambda-environment-variables which can be an intentional security risk.
How these problems can be resolved by the Parameter store
- All credentials can be stored as plain text or encrypted as per the needs of the organization.
- These cannot be read or accessed by unauthorized users.
- It has a record of every access and change of parameters.
- When a parameter is changed once, it is changed everywhere. This reduces the human effort and saves developers time.
- AWS manages the store so there are fewer chances of human error.
- We can create different access policies for reading and writing and give them to different sets of users.
Types of Parameters
Standard and Advance Parameters : courtesy-AWS
Features of Advanced Parameters
1. We can write policies for parameters and set expiration time at parameter level.
2. We can set up notifications for parameters when they are about to expire.
3. You can set up a policy to receive a notification if a parameter has not changed in a while and you can define the time for when that parameter has to change.
There are two costs involved :-
- Storing the parameter (different for both types of parameter).
2. API Interaction to get the parameter (same for both type of
- Cost for API Interaction : $0.05 for 10,000 interactions
- Cost to store Advance parameter : $0.05 for every parameter
- Cost to store Standard parameter : $0 for all (limit is 10,000)
How Parameter Store records every change
Versions of Parameter
Here you can see in the above image that we have versions for every change. Here is just one change with the last modified date and last modified user, so we know when it was modified and who that user was.
How we can plan the Structure of our Parameters to store
Structure of Parameters on store : courtesy-AWS
In the above image you can see we can define our parameter store in a tree- like structure and give access according to our need, for example :-
We can plan our key structure as shown for every environment :-
1 : test
2 : staging
3 : dev
4 : prod
And can give access policy accordingly or as we need.
Access parameter through this hierarchy
And we get our values as:
Now the last question is how our lambda will access the parameter store for the aws access key and secret key:
- Create Parameters first.
2. Create New IAM permission for accessing SSM parameters(Variable) from lambda.
Code will be somewhat like this:
Code to access Parameters from Lambda
About the Author:
Nishant Choudhary is a Software Developer with around 2 years of experience in Software Development where he worked in multiple organizations and contributed to solving different kinds of complex problems with his creativity and enthusiasm for learning and different kinds of skills such as problem-solving, web designing and development, analysis of architecture and development of Progressive Web Applications.
About KBX Digital
At KBX Digital, we use server-less technology to auto-scale micro-services to serve millions of customers.