AWS Systems Manager Parameter Store provides secure storage for secrets management. You can store data such as passwords, database strings etc parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter.
In this lab we will demo how to store and retrieve ssm parameters.
Step 1:First of all install AWS CLI on your ec2 if you don’t have it:
Then type : aws configure and hit enter for the first two fields and the last field. For the third field of region, enter us-east-1 ( or region of your choice)
Step 2: Create a role with full ssm access.
Step 3: Attach the role to EC2
Step 4: Run the command to store a ssm parameter from ec2
Step 5: You stored a parameter which is not secure. Now retrieve the parameter with this command. You will see the output return your value for the key (name) specified.
Step 6: Now let’s try yo store a secure string on SSM
Step 7: Retrieve the securestring with this command
Step 8: You see that you’re given an encrypted value.
Step 9: Describe the parameter with this command
Step 10: You can see that the parameter is encrypte with the keyId of “alias/aws/ssm”
Step 11: Try to get the decrypted key with this command:
Step 12: From a privileged session( a user that has access to a user managed KMS key. In this case key with an alias of mykey ) add a new parameter to ssm parameter store
Step 13: From your EC2 with ssm-full-access-role enter this command
** You’re not able to decrypt because you don’t have access to that KMS key
Step 14: Add The ssm-full-access-role to key users in KMS service (found under IAM). I choose to do this with an Inline policy
Step 15: Enter the command in step 13 again
Congratulations ! You’re able to decrypt and access the secure ssm parameter now.