AWS Certified Developer - Associate
Security
Parameter Store
In this lesson, we explore AWS Systems Manager Parameter Store—a secure service designed to store configuration data and secrets such as passwords, database connection strings, and other vital configuration values. It supports both plain text and encrypted data, providing flexibility and security for your applications.
Centralized Configuration Management
Applications often require configuration settings—like database connection details—that must be securely managed. Rather than embedding sensitive credentials within your source code or configuring them separately on each instance (whether in a server, Lambda function, or mobile app), you can centralize these configurations in Parameter Store. This approach enables every instance of your application to dynamically retrieve the necessary values at runtime.
For example, when an application requires database access, it typically needs both a username and a password. By storing these credentials in Parameter Store, you eliminate the hassle of manual configuration across multiple application instances. Furthermore, updating the database password becomes a streamlined process, as you only need to change it in one centralized location.
Hierarchical Organization and Permission Management
Parameter Store organizes configurations into a hierarchical structure, allowing you to group parameters logically. For instance, you might create a hierarchy starting at the organization level (e.g., /org), then branching into various applications or services. Within each service (such as an authentication service or task service), you can further segregate parameters as necessary.
This hierarchical model simplifies permission management. If the authentication team requires access solely to parameters related to the authentication service, you can grant permissions specifically for that branch. This setup ensures they can retrieve necessary credentials (like database usernames and passwords) without exposing configurations unrelated to their responsibilities.
Standard vs. Advanced Tiers
Parameter Store is offered in two tiers: Standard and Advanced. Below is a comparison of the two tiers:
| Feature | Standard Tier | Advanced Tier |
|---|---|---|
| Parameter Limit | Lower limit | Higher limit |
| Parameter Size | Up to a fixed size | Up to 8 KB |
| Parameter Policies | Not supported | Supported (e.g., expiration, notification) |
| Additional Cost | No additional charge | Additional cost applies |
Note
When choosing a tier, consider your application's needs. Use the Standard tier for basic requirements and the Advanced tier when you need enhanced features like parameter policies.
Advanced Tier Policy Features
Within the Advanced tier, you can leverage various parameter policies to increase automation and monitoring:
- Expiration Policy: Automatically delete parameters after a specified date or time.
- Expiration Notification Policy: Send alerts via EventBridge when a parameter is nearing its expiration.
- No-Change Notification Policy: Alert you if a parameter has not been modified within a designated period.
Warning
Always ensure that sensitive parameters are properly encrypted using AWS KMS to prevent unauthorized access.
Summary
AWS Systems Manager Parameter Store offers a robust, secure method for storing configuration data and secrets. Its key benefits include:
- Centralized Management: Easily update configuration data without modifying individual application instances.
- Hierarchical Organization: Group parameters logically, simplifying permission management.
- Enhanced Security: Secure sensitive data with encryption using AWS KMS.
- Choice of Tiers: Select the Standard tier for basic needs or the Advanced tier for higher limits and additional policy features.
For further details on AWS Systems Manager Parameter Store, please refer to the AWS Documentation.
Watch Video
Watch video content