-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parameter Store always defaults to SecureString #121
Comments
By |
@jpb @pauloancheta @rymndhng what do you think about this? |
+1 for uploading a non-secure string. I do like the flag of Having it very easy to upload a non secure string might be a problem for auditing. |
It seems to me that the main use-case of using parameter store here is to store things that are secret - if they were not secret then the codebase seems like a better place for them. I feel like this change may be a foot-gun and I fear that changing the behaviour would result secrets being store as plain text in parameter store. I agree that both echoing secrets and inadvertently storing a secret unencrypted in parameter store are both security concerns, but I feel in this use-case the latter would be a larger problem. We already have |
I prefer keeping Which context are we talking about echoing strings? |
I actually think people should be more cognizant about uploading a secure string. If someone is uploading a password, they should be thinking more about the security of that. It seems like an anti-pattern to have to be "aware" about not securing something versus securing it. With the echo thing, I was mainly thinking about when the value is being used. Like, if a parameter value is being used somewhere, then any strings should be echoed for visibility by the operator and secure strings should obviously not be echoed (or echo the encrypted value for visibility that a value was used and it was encrypted). The thing we have to remember with "non-secure" == "in codebase" is they have two completely different authentication protocols. One being GitHub/Git, and the other being IAM. There is a stark difference between the two and I think the statement that strings are to some degree not secrets is categorically false. Basically:
Examples:
Additionally, my bigger issue with SecureString as default is that I as a general IAM user should not have any capability to decrypt SecureStrings. There is absolutely no reason why I should (as part of my day to day) be able to decrypt a database password or the like. If I need that capability, I should have access to a secured role that allows me to do that. Conversely, I absolutely should have the capability to see what queue a service is configured to use or similar. |
One additional note, if people are adding parameters with password or other secrets that IAM users should generally not be able to decrypt, that would be an education/people problem that needs to be solved. I don't really agree that we should solve people problems with technical decisions that reduce our ability to improve security. (Example being having everyone upload everything as secure strings and then needing allow everyone to decrypt secure strings) |
cc: @scottbrown (Parameter Store security aspects are being discussed here) |
Many of the strings set in parameter store do not need to be secure strings, and ones that are often are echoed by default.
I think a couple changes might be nice:
--encrypt
) to upload as SecureStringThe text was updated successfully, but these errors were encountered: