Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

AWS Parameter Store: is it free for any user and application?

0

I use AWS PS in my Lambda NET6 app, added RDS connection string, Cognito url etc.

Is my AWS PS parameter set open for any users applications and all parameters are accesssible? If yes how to avoid it?

Argomenti
ServerlessComputazionaliGestione e amministrazione
Tag
AWS LambdaMemorizzazione dei parametri
Lingua
English
Oleg
posta 9 mesi fa262 visualizzazioni
2 Risposte
1

Hello!

Before setting up parameters in Parameter Store, you must first configure AWS Identity and Access Management (IAM) policies that provide users in your account with permission to perform the actions you specify. You can also create and assign policies to control which parameter actions can be run on a managed node. The AWS Systems Manager Parameter Store documentation has great information for Restricting access to Systems Manager parameters using IAM policies.

AWS CloudTrail captures API calls made in the AWS Systems Manager console, the AWS Command Line Interface (AWS CLI), and the Systems Manager SDK. You can view the information in the CloudTrail console or in an Amazon Simple Storage Service (Amazon S3) bucket. This allows you to be able to see any interactions with your parameters.

Hope this helps!

profile pictureAWS
MVR-060709
con risposta 9 mesi fa
profile picture
ESPERTO
Mikel Del Tio
verificato 9 mesi fa
0

Hi, System Parameters are protected by various kind of authorizations. Source: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html

DeleteParameter

DeleteParameters

DescribeParameters

GetParameter

GetParameters

GetParameterHistory

GetParametersByPath

PutParameter

For example,

When using IAM policies to restrict access to Systems Manager parameters, we 
recommend that you create and use restrictive IAM policies. He he following 
policy allows a user to call the DescribeParameters and GetParameters API 
operations for a limited set of resources. This means that the user can get information 
about and use all parameters that begin with prod-*.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters"
            ],
            "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter/prod-*"
        }
    ]
}

Read the full paged linked above to get all details on how to achieve it,

Best,

Didier

profile pictureAWS
ESPERTO
Didier_Durand
con risposta 9 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente