AWS Parameter Store

A typical web application needs credentials to access different resources such as credentials to connect to database and tokens to communicate with other web services.

It is common practice to pass these secret parameters to applications via system properties or environment variables. For example, if you are using Elastic Beanstalk for java web application then you can pass parameters (database url, username, password etc.) as properties.  Every infrastructure is different, but in general this practice is neither secure nor manageable. Some of the common problems are: parameters are not encrypted, parameters might be available in plain text on ec2-instance ebs scripts, parameters are hard to rotate if parameters are being shared by multiple applications. Moreover, if credentials are shared by different applications and multiple people are responsible for deployment then all those people will need access to credentials.

Instead of passing secret parameters as environment variables, secure vaults can be used which will solve above mentioned problems. Parameter Store and Secret Manager are two offerings of AWS which can be used to save parameters and secrets. They improve the security of infrastructure and help to manage secret parameters efficiently. Idea is simple that secret parameters should be saved by just one service. This way, you only need to secure one service. Parameters stored in these services can be accessed by applications via API calls. Parameters can also be encrypted. If parameters are encrypted using default key, then no special permissions are required to decrypt parameters. However, if parameters are encrypted using custom key then application (or ec2-instance) will require access to custom key to decrypt parameters. Parameter store will also track changes made to parameters which is great for auditing purposes.

At the time of writing, Parameter Store is free service whereas Secret Manager is paid service. Secret Manager is integrated with RDS and makes it very convenient to rotate database credentials. But you can write your own lambda to rotate secret parameters. I think, at time of this writing, that cost of secret manager is high considering the benefits being offered. May be, in future, AWS will integrate more services with Secret Manager and then cost might be justified.

Following is a simple code snippet to get parameters stored in AWS Parameter store.


AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClientBuilder.standard()
.withRegion(Regions.EU_WEST_1).build();
GetParametersRequest request= new GetParametersRequest();
request.withNames("prod.webapp.microservice.name")
        .setWithDecryption(true);
GetParametersResult parameterResult = client.getParameters(request);  


For Further Reading:
  1. AWS Parameter Store
  2. Parameter Store vs Secret Manager Discussion


Comments

Popular posts from this blog

Practice Questions - AWS Solutions Architect - Associate Certification

Continuous Integration using AWS CodePipeline (GitHub to Elastic BeanStalk)