Adding a KMS Key Id to AWS SSM Parameter Store
ACM.59 Encrypting our batch job session parameter with a key that a batch job can use to obtain session credentials
Part of my series on Automating Cybersecurity Metrics. IAM. KMS. The Code.
Free Content on Jobs in Cybersecurity | Sign up for the Email List
In the last post we looked at using AWS Lambda with AWS Systems Manager Parameter Store.
We added the ability for our Lambda function that generates a cryptographically secure batch id to store a value in AWS SSM Parameter Store.
When encryption doesn’t save you
Although we used a SecureString we used the default AWS encryption. What does that do for us? It encrypts the data such that the only people with permission to use our AWS account can decrypt the data. So basically, the encryption is not doing that much for us internally. I’m not even sure if that encryption prevents people who work at AWS from seeing the data but I never dug into it because it’s simply not good enough as an encryption solution. I wrote about this in my book and on my blog — the encryption fallacy.