Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

creating ssm secure string with cloudformation

since August 2018 AWS CloudFormation supports AWS Systems Manager Secure String Parameters in CloudFormation Templates.

I have been searching high and low but wasnt able to find a way to create a ssm-secure-string via Cloudformation like I can do it for simple SSM parameter via

Type: "AWS::SSM::Parameter"
Properties: 
  AllowedPattern: String
  Description: String
  Name: String
  Type: String
  Value: String

Can someone help me out? Or is there no way to generate the ssm-secure string right now via Cloudformtion?

Merci A

like image 758
aerioeus Avatar asked Sep 12 '18 17:09

aerioeus


People also ask

How do you pass parameters in CloudFormation?

You can pass multiple values for individual parameters in an AWS CloudFormation template using one of these ways: Use AWS-specific parameter types to select values from a prepopulated list of existing AWS values from an AWS account. Use CommaDelimitedList parameter types to specify your own values.

Is CloudFormation secure?

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.

Are SSM parameters encrypted?

Each advanced parameter value is encrypted under a unique data key, and the data key is encrypted under a KMS key. You can use the AWS managed key for the account ( aws/ssm ) or any customer managed key.

What is dynamic reference in CloudFormation?

Dynamic references provide a compact, powerful way for you to specify external values that are stored and managed in other services, such as the Systems Manager Parameter Store and AWS Secrets Manager, in your stack templates.


1 Answers

As per current docs, it's not supported to create SSM secure string via cloudformation.

Note

AWS CloudFormation doesn't support the SecureString parameter type.

What introduced in Aug 2018 is the support for SSM Secure String as Parameters in cloudformation. Link

For the time being, CustomResource is the only way, however having raw value in any kind of infra template for secure string is not recommended.

Updated (Nov 2019):

As per this, we can provide 3rd party resource provider for such use cases. CustomResource is good but kind of repetitive if you use in multiple stacks. So now I would prefer using this 3rd party resource providers for common use cases like secure SSM. It's farily simple to implement as well.

like image 51
sayboras Avatar answered Sep 19 '22 14:09

sayboras