How to make use of parameter store?

Hi there,

Currently, I am storing application configs(e.g. DB username) on the EC2 instance. I would like to stop anyone with access to the EC2 instance from being able to access these configs. But the thing is if someone can access my instance, they can just easily retrieve values from the parameter store. Then, what is the point of storing parameters in parameter store? Or am I missing something?

I want to store the parameters in the parameter store securely and retrieve them for use in other scripts (maybe, by storing them in the environment variables) on the EC2 instance.

Thanks in advance.

Topics

Compute Management & Governance

Tags

Amazon EC2 Parameter Store

Language

English

AKMin

asked 19 days ago159 views

2 Answers

Newest
Most votes
Most comments

Hello.

Then, what is the point of storing parameters in parameter store?

By using AWS Systems Manager Parameter Store, Parameters used in the system can be centrally managed.
It has the advantage of being able to retrieve parameters within a hierarchy in bulk and allowing access permissions to the hierarchy using IAM policies.
Utilizing these makes it easier to properly manage privileges even when operating multiple environments with one account.
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-hierarchies.html

EXPERT

Riku_Kobayashi

answered 19 days ago

EXPERT

Oleksii Bebych

reviewed 19 days ago

EXPERT

Brettski-AWS

reviewed 19 days ago

AKMin
19 days ago
Got it. However, is it true that anyone with access to the EC2 instance can retrieve the parameters (e.g. by using AWS CLI tool on the instance)?
Riku_Kobayashi EXPERT
19 days ago
Yes, you will be able to access it since you will be using an EC2 IAM role to access the parameter store.

Hello AKMin ,

You're absolutely right about the vulnerability of storing configs directly on EC2 instances. Anyone with access can see them. However, AWS Parameter Store offers a solution, and you're on the right track regarding secure storage and retrieval.
Encryption: Parameter Store encrypts secrets using AWS Key Management Service (KMS) keys. Even if someone gains access to the instance, they cannot decrypt the secrets without the KMS key.
Least Privilege: IAM roles define what an instance can do in your AWS account. You can create a role with specific permissions to access the required Parameter Store paths, restricting unnecessary access.

AWS Systems Manager Parameter Store: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

How AWS Systems Manager Parameter Store uses AWS KMS: https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html

Simple Secrets Management via AWS' EC2 Parameter Store: https://medium.com/cloud-security/aws-secrets-manager-vs-ssm-parameter-store-a765fe09f5f0

EXPERT

Garre Sandeep

answered 19 days ago

Relevant content

Can't retrieve parameters from Parameter Store from Node app running on EC2 Ubuntu
atef
asked a year ago
How to mount EFS on ECS with IAM username of who started EC2 instance ?
AWS-User-8472164
asked 3 years ago
EC2 instance using Instance Store
Accepted Answer
Trevor_C
asked 2 years ago
I can't connect to my EC2 Instance that use Instance Store Volume
Aman
asked 8 months ago
How do I get environment variables from SSM Parameter Store and use them from an Elastic Beanstalk instance shell?
AWS OFFICIALUpdated 9 months ago
How do I change Intel-powered EC2 instances to the equivalent AMD-powered instance types?
AWS OFFICIALUpdated a year ago
How can I use the AWSSupport-ResetLinuxUserPassword runbook to change a Linux user password on my EC2 instance?
AWS OFFICIALUpdated a year ago
How do I back up an instance store volume on my Amazon EC2 instance to Amazon EBS?
AWS OFFICIALUpdated a year ago
Support Automation Workflow (SAW) Runbook: Upload EC2 Rescue log bundle from the target instance to the specified Amazon S3 bucket
EXPERT
Maya Karalic
published a year ago
Discover Messages stored on Bitcoin Mainnet with Amazon Managed Blockchain Access
EXPERT
Simon Goldberg
published 3 months ago