Adding a KMS Key Id to AWS SSM Parameter Store

ACM.59 Encrypting our batch job session parameter with a key that a batch job can use to obtain session credentials

Part of my series on Automating Cybersecurity Metrics. IAM. KMS. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In the last post we looked at using AWS Lambda with AWS Systems Manager Parameter Store.

Using AWS Systems Manager Parameter Store with AWS Lambda

We added the ability for our Lambda function that generates a cryptographically secure batch id to store a value in AWS SSM Parameter Store.

When encryption doesn’t save you

Although we used a SecureString we used the default AWS encryption. What does that do for us? It encrypts the data such that the only people with permission to use our AWS account can decrypt the data. So basically, the encryption is not doing that much for us internally. I’m not even sure if that encryption prevents people who work at AWS from seeing the data but I never dug into it because it’s simply not good enough as an encryption solution. I wrote about this in my book and on my blog — the encryption fallacy.