AWS Systems Manager Parameter Store 可提供安全的分层存储,用于配置数据管理和密钥管理。也可以将密码、数据库字符串和许可证代码等数据存储为参数值。可以将值存储为纯文本或加密数据。然后,可以使用创建参数时指定的唯一名称来引用对应值。Parameter Store 由 AWS 云支持,它可扩展、高度可用且持久。
Parameter Store 提供以下优势和功能。
-
使用安全、可扩展的托管密钥管理服务,无需管理服务器。
-
通过将数据与代码分离来提高安全性。
-
分层存储配置数据和密钥字符串,而且可跟踪版本。
-
实现以细粒度控制和审核访问。
-
为参数和参数策略配置更改通知并触发自动操作。
-
单独标记参数,然后从不同级别保护访问,包括操作、参数、Amazon EC2 标签和路径级别。
-
使用 Parameter Store 参数引用 AWS Secrets Manager 密钥。
-
将 Parameter Store 参数与其他 Systems Manager 功能和 AWS 服务配合使用,以从中央存储检索密钥和配置数据。支持 Parameter Store 参数的 AWS 服务列表不断增长中,包括:
-
Amazon Elastic Compute Cloud (Amazon EC2)
-
Amazon Elastic Container Service (Amazon ECS)
-
AWS Lambda
-
AWS CloudFormation
-
AWS CodeBuild
-
AWS CodeDeploy
-
-
配置与以下 AWS 服务的集成以实现加密、通知、监控和审计:
-
AWS Key Management Service (AWS KMS)
-
Amazon Simple Notification Service (Amazon SNS)
-
Amazon CloudWatch
-
AWS CloudTrail
Sharing Secrets with AWS Lambda Using AWS Systems Manager Parameter Store
This post courtesy of Roberto Iturralde, Sr. Application Developer- AWS Professional Services
Application architects are faced with key decisions throughout the process of designing and implementing their systems. One decision common to nearly all solutions is how to manage the storage and access rights of application configuration. Shared configuration should be stored centrally and securely with each system component having access only to the properties that it needs for functioning.
With AWS Systems Manager Parameter Store, developers have access to central, secure, durable, and highly available storage for application configuration and secrets. Parameter Store also integrates with AWS Identity and Access Management (IAM), allowing fine-grained access control to individual parameters or branches of a hierarchical tree.
This post demonstrates how to create and access shared configurations in Parameter Store from AWS Lambda. Both encrypted and plaintext parameter values are stored with only the Lambda function having permissions to decrypt the secrets. You also use AWS X-Ray to profile the function.
-