In this chapter, we embark on a comprehensive exploration of the AWS Systems Manager’s Parameter Store, a robust tool for effective data and secrets management. Our journey will equip us with a deep understanding of the Parameter Store’s intricacies and guide us through practical steps on how to harness its capabilities. With its versatile functionality, the Parameter Store empowers us to securely store various types of values, including both plaintext and encrypted data. A key advantage lies in the ability to maintain control over access and perform audits at different levels, bolstering the overall security of our systems.
Notably, the Parameter Store seamlessly integrates with a range of AWS services, making it an indispensable asset for diverse scenarios. Whether it’s Amazon EC2, AWS Lambda, or AWS CloudFormation, the Parameter Store harmoniously supports these services, facilitating efficient and streamlined operations. One of its standout features is the creation of secure string parameters, where data values are encrypted using the formidable Key Management Service (KMS), adding an extra layer of protection.
Our practical engagement with the Parameter Store entails creating a secure string parameter. We proceed to establish a well-defined policy and associate a role, enabling an Amazon EC2 instance to access the Parameter Store seamlessly. This role permits the instance to query the store and retrieve parameter values as needed. This hands-on approach affords us the opportunity to gain firsthand experience in configuring parameters and roles, setting the stage for a comprehensive understanding of the entire process.
As we delve further into the lab, we encounter the dynamic interplay between the Parameter Store and an EC2 instance, aptly represented by our Bastion host. This engagement clarifies a pivotal point: to access the Parameter Store, an instance need not be a managed part of AWS Systems Manager; even standalone instances can leverage its capabilities. By establishing the requisite role, we ensure that our instance can access the Parameter Store securely and effectively.
Our journey culminates with the practical application of AWS Command Line Interface (CLI) skills. After configuring the AWS CLI, we adeptly retrieve parameter values from our EC2 instance, gaining a firsthand understanding of how the Parameter Store can be harnessed to retrieve encrypted values securely. This immersive experience equips us with invaluable insights and skills, showcasing the Parameter Store’s role as a potent asset in AWS systems’ security and data management.
In this hands-on lab, you will delve into the AWS Systems Manager’s Parameter Store, a powerful tool for secure data and secrets management. You will gain a comprehensive understanding of the Parameter Store’s capabilities and learn how to effectively create, manage, and retrieve parameters. By the end of this lab, you will have hands-on experience using the Parameter Store to store encrypted data and seamlessly access it from an Amazon EC2 instance.
Prerequisites:
- An AWS account with the necessary permissions to create policies and roles.
- Basic familiarity with the AWS Management Console and Amazon EC2.
Lab Steps:
Step 1: Creating a Secure String Parameter
- Log in to your AWS Management Console.
- Navigate to the AWS Systems Manager service.
- Click on “Parameter Store” in the navigation pane.
- Click the “Create parameter” button.
- Provide a name for the parameter, such as “DBPassword.”
- Choose the parameter type as “SecureString” for encrypted data storage.
- Specify the value for the parameter (e.g., a database password).
- Review your choices and click “Create parameter.”
Step 2: Creating a Policy and Role
- Navigate to “IAM” in the AWS Management Console.
- Click on “Policies” in the navigation pane.
- Click the “Create policy” button.
You can go to the Key Managed Service
Click on the key,copy its arn to the resource section of json policy.
- Select the “JSON” tab and paste the following JSON script:jsonCopy code
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "kms:Decrypt" ], "Resource": [ "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/DBPassword", "arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID" ] } ] }Remember to replaceREGIONandACCOUNT_IDwith your AWS region and account ID, respectively. - Review the policy and give it a name (e.g., “ParameterAccessPolicy”).
- Create the policy.
- Navigate to “Roles” in the IAM console.
- Click the “Create role” button.
- Choose the EC2 service and attach the “ParameterAccessPolicy” policy to the role.
- Review the role and give it a name (e.g., “ParameterAccessRole”).
- Create the role.
Step 3: Attaching the Role to an EC2 Instance
- Navigate to “EC2” in the AWS Management Console.
- Select your Bastion host instance.
- Click on “Actions” and choose “Instance Settings” > “Attach/Replace IAM Role.”
- Search for and select the “ParameterAccessRole” role.
- Click “Apply” to attach the role to the instance.
Step 4: Installing AWS CLI and Retrieving Parameter
- SSH into your Bastion host instance.
- Update packages using the following command:sqlCopy code
sudo yum update -y - Install the AWS CLI:Copy code
sudo yum install aws-cli -y - Configure the AWS CLI:Copy code
aws configureLeave access key and secret key blank. Provide the region (e.g., us-east-1) and leave the output format as default. - Retrieve the parameter value with decryption:sqlCopy code
aws ssm get-parameter --name DBPassword --with-decryptionYou should see the decrypted value of the parameter.
Conclusion: Congratulations! You’ve successfully completed the hands-on lab on AWS Parameter Store. You’ve learned how to create a secure string parameter, configure policies and roles for EC2 instances, and retrieve parameter values securely using the AWS CLI. This valuable experience will empower you to effectively manage data and secrets using the Parameter Store within AWS Systems Manager.