AWS Secrets Manager vs Systems Manager Parameter Store Flashcards
AWS Systems Manager Parameter Store
This is part of the application management tools offered by the AWS Systems Manager (SSM) service. Parameter Store allows you to create key value parameters to save your application configurations, custom environment variables, product keys and credentials on a single interface
Parameter Store allows you to secure your data by encryption which is integrated with AWS KMS
After you create your paramters in Parameter Store you can then have these parameters retrieved by your SSM Run Command, SSM State Manager, or referencec them on your application running on EC2, ECS, and Lambda or even on applications running on your premises data center. This eliminates the need to hardcode variables or embed plain text credentials on your code.
Parameter Store makes it easy to update these variables without modifying your source code, as well as eliminate the need to embed confidential information such as database passwords in your code
- Your application (on premises servers, EC2, ECS, Lambda, etc) sends a parameter request to SSM Parameter Store
- If this is a plaintext parameter request, Parameter Store checks with IAM if the user/role is allowed to retrieve the parameter
- If this is an encrypted parameter request, Parameter Store checks with IAM if the user/role is allowed to both retrieve and decrypt the parameter with AWS KMS. Decryption requires that the IAM has KMS Decrypt permission
- If IAM verification is successful, Parameter Store sends back the parameter value to the applications
BREAK
AWS Secrets Manager
This enables you to rotate, manage and retrieve database credentials, API keys and other secrets throughout their lifecycle.
It also makes it easy for you to follow security best practices such as encrypting secrets and rotating these regularly
You can use Secrets Manager to offload the management of secrets from developers such as database passwords or API keys, so they do not have to worry about where to store these credentials
Differences and Similarities
Parameter Store was designed to cater to a wider use case, not just secrets or passwords but also application cofiguration variables like URLs, DB Hostnames, custom settings, product keys, etc which is why the default selection for creating a parameter is a plain text String value. You can enable encryption if you explicitly choose to.
Secrets Manager was designed specifically for confidential information that needs to be encrypted, which is why encryption is always enabled when you create a secret. You cant store data in plaintext in Secrets Manager
Secrets Manager also provides a built in password generator through the use of AWS ClI. This is can be helpful when you want to create an RDS instance with a CloudFormation template, you can create a randomly itemized password and later reference it on your RDS configuration.
Both services have a versioning feature. This allows you to view previous versions of your parameters of secret in case you needed them. You can choose to restore the older version of the parameter. P
Parameter Store only allows one version of the parameter to be active at any given time
Secrets Manager allows multiple versions to exist at the same time when you are performing a secret rotation. Secrets Manager distinguishes between different versions by staging labels.
