Cyber Defense Advisors

AWS Secrets Manager vs. SSM Parameter Store

ACM.119 Choosing where to store secrets and configuration data

This is a continuation of my series of posts on Automating Cybersecurity Metrics.

In the last post I explained why you might want to use a customer-managed instead of AWS-managed encryption.

https://medium.com/cloud-security/customer-managed-kms-keys-vs-aws-managed-encryption-keys-722038fc4a0b

Now let’s review the differences between AWS Secrets Manager and AWS Systems Manager Parameter Store at the time of this writing. Note that this list could become out of date at any minute if AWS changes the way these services work so review the documentation for the most up to date information

| Parameter Store | Systems Manager
Limit KMS Key to Service | No | Yes
Resource Policy Access Control | No | Yes
Cross-Account Role Access | No | Yes
Generate CloudForamtion Secret | No | Yes
Automatically Rotate Secrets | No | Yes
CloudForamtion Encrypted Type | No. |. Yes
Customer KMS Key Encryption | Yes | Yes
Expiration | Yes | Yes
Versions | Yes. | Yes
Dynamic CloudForamtion references | Yes. | Yes
Cheaper | Yes | No

We can limit use of an AWS KMS Key to AWS Secrets Manager.

Limiting Access to KMS Keys via Secrets Manager

It is possible to use CloudFormation to create a value and store it in AWS Secrets Manager in an encrypted format using the SecretString property.

Keeping Credentials Out of GitHub

This post contains an example of using AWS Lambda with Parameter Store. One of the limitations at the time of this writing is the inability to use SecureString with CloudFormation. That means you cannot create an encrypted parameter with CloudFormation when using AWS Parameter store. See the link to the documentation in this post.

Using AWS Systems Manager Parameter Store with AWS Lambda

The next post adds a KMS Key Id to parameter store to encrypt data stored in a parameter. It explains and has a link to the documentation related to the fact that SSM Parameter store does not offer resource policies with access control. In this post I also explore the fact that you cannot use a policy condition limit a KMS key to only be used by AWS Parameter Store like we could with Secrets Manager.

Adding a KMS Key Id to AWS SSM Parameter Store

This post considers the pros and cons of storing a user-specific SSH key in AWS Parameter Store. AWS Parameter Store doesn’t offer resource policies that allow us to limit access to a Parameter. I explained the benefits of using an IAM policy with a resource policy in the last post and why you might want to use both for access to sensitive data.

Automated Creation of an SSH Key for an AWS User

The next post demonstrates how to store an SSH key in Secrets Manager. You can create an resource policy with access controls for an AWS secret.

Creating and Storing an EC2 SSH Key in Secrets Manager

In this post we consider creating an AppSec group to manage secrets. You can allow Secrets Manager administrators to manage AWS Secrets Manager policies.

Creating an AppSec Group to Administer Secrets Manager Secrets

This post creates a role that the AppSec administrator group can assume. This post explains how you can use IAM, Secrets Manager, and KMS policies to create an architecture that requires a three-party collusion to obtain unauthorized access to a secret.

AppSec Role for Secrets Management

It is possible to create an auto-generated password with AWS Secrets Manager and CloudFormation. Parameter store doesn’t have that option. Passing secrets in parameters is not secure because parameter values are visible in various places.

Autogenerated Passwords in CloudFormation for AWS Console Access

You can use the AWS console to enforce MFA on a user-specific secret stored in Secrets Manager. We can’t enforce MFA with developer credentials (access key and secret key id) used with the AWS CLI. We can’t create a user-specific policy for an AWS IAM Role since the principal (identity) is not a single user in that case. This is a work-around for those limitations.

User-Specific Secrets: Console Access

Those posts illustrate some things you can and cannot do with either AWS Secrets Manager or AWS Parameter Store.

Next up we are going to make some adjustments to our lambda and batch job deployments to work with the AppSec administrator role that manages secrets policies.

Follow for updates.

Teri Radichel

If you liked this story please clap and follow:

******************************************************************

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

******************************************************************

© 2nd Sight Lab 2022

All the posts in this series:

Automating Cybersecurity Metrics (ACM)GitHub – tradichel/SecurityMetricsAutomation

____________________________________________

Author:

Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

AWS Secrets Manager vs. SSM Parameter Store was originally published in Cloud Security on Medium, where people are continuing the conversation by highlighting and responding to this story.