AWS Parameter Store & Secrets Manager

Question 1

What is the Parameter Store?

Answer 1

It is part of SSM, it provides secure storage for configuration data and secrets. Values can be stored ast plain text or encrypted using KMS.

Question 2

Are the parameters in plain text or encrypted?

Answer 2

The parameters are in plain text or encrypted, you get to decide.

Question 3

I have a configuration for my lambda, where can I securely store it?

Answer 3

You can store it in the parameter store.

Question 4

I have a configuration for my autoscaling, where can I securely store it?

Answer 4

You can store it in the parameter store.

Question 5

How is data referenced?

Answer 5

Using a unique name

Question 6

How is data stored?

Answer 6

In a hierarchy

Question 7

What types are supported by the parameter store?

Answer 7

• Strings
• StringList
• SecureString

Question 8

How do you access the parameter store?

Answer 8

Using a LIB that calls the API, this means you can use it in a container, lambda, Ec2, Beanstalk, ECS, EKS, Code Build/Deploy, etc.

Question 9

What size can parameters be?

Answer 9

• For Standard they can be 4K

- For Advanced they can be 8K

Question 10

I wnat my parameters to expire after 3mts, how can I do this?

Answer 10

You can not with standard, but you can with advanced

Question 11

Can I have parameters encrypted?

Answer 11

Yes as a SecureString , this is where KMS is used.

Question 12

Can I use a Key from another account for parameter encryption?

Answer 12

Yes

Question 13

I have an instance with an application thet is using a secure and encrypted parameter from the parameter store, you have created a role and attached it to the instance, the role has permissions to access the parameter in the parameter store, but I am getting an error when accessing the parameter, why?

Answer 13

It is because you have not added permissions to KMW form the instance.

Question 14

Where could I put parameters from my lambda application?

Answer 14

In the parameter store.

Question 15

I am using CloudFormation and want to be able to have a central location where I can put parameters and have them secure and able to be accessed by CF?

Answer 15

You can use the parameter store.

Question 16

How can I have the hierarchy in the parameter store?

Answer 16

You can have a real hierarchy but you can have a value with what seems to be separations ‘/’

Question 17

I wnat to store secret for the RDS DB and have it rotated, how cna I do this?

Answer 17

You cna not have an automatic rotation in parameter store, secrets managed has much better functionality for this.

Question 18

I want to have been able to use the parameter store to automatically rotate my secrets in my custom database, what is my best option?

Answer 18

Use secret managed, with secrets managed you cna have call lambda when its time to have the secret rotation, with lambda you can run custom code to have the key rotated.

Question 19

I am using secrets manager and I wnat to monitor a secret and have an alarm sent to me when it is changed, how cna I do this?

Answer 19

You can use secret manged to store the secret and cloud trail to understand the change to any secrets and then use cloudwatch events to trigger an SNS to send an email.

Question 20

I am using cloud formation with RDS and I wnat to have RDS database secrets, how cna I do this?

Answer 20

It probably best not to use parameter store and use secrets managed instead, this way with secrets manager you get the ability to have secret rotation and Secrets Manager have integration with RDS for the secret rotation.

Question 21

When using Secrets managed how cna you control access to the secrets?

Answer 21

Use IAM.

Question 22

How cna I distribute parameters to EC2 instances in the autoscaling group?

Answer 22

You cna used parameter store.