Creating Secure String in AWS System Manager Parameter Store via AWS CloudFormation

Applications/services use AWS parameter store for centralised configuration management and secure string type allows to store sensitive data in parameter store. It uses AWS KMS customer master keys (CMKs) to encrypt/decrypt the parameter values. Currently CloudFormation doesn’t support creating secure string in AWS parameter store. This post explains how to implement lambda backed custom resource to create secure string in AWS parameter store using AWS CloudFormation.

Firstly, we need to create AWS lambda function which uses AWS SDK for Python (Boto3) to create parameter. You can use the following AWS CloudFormation allows to create AWS lambda function.

This lambda function requires the following defined in the Resource Properties:
1. ParameterKeys
Type : Comma Delimited List
Required: Yes

Comma separated list of fully qualified name of the parameters which includes the complete hierarchy of the parameter path and name.
For example: /config/test-service/dev/rds/test-database-1/password, /config/test-service/dev/rds/test-database-2/password.

Parameter keys are case sensitive and must be unique within an AWS Region.

2. ParameterValues
Type : Comma Delimited List
Required: Yes

Comma separated list of parameter values. This lambda supports only standard parameters which have a value limit of 4 KB.

2. KmsKeyId
Type : String
Required: Yes

The KMS Key ID that you want to use to encrypt/decrypt a parameter.

The above AWS lambda function can be used as custom resource in any CloudFormation template. Custom resources allows to write custom provisioning logic and it runs when you create/update/delete stacks. Custom resources require one property: the service token, which specifies where AWS CloudFormation sends requests. In this case, you can use AWS lambda function created above as custom resource in a AWS CloudFormation template as follows.

Here, service token is the lambda function ARN and when you create/update/delete stack using above CloudFormation, it sends the request to lambda function. Based on the request type, logic in the lambda function get executed. Lambda function uses send method in cfn-response module to send response object to custom resource. After executing the send method, the Lambda function terminates, so anything you write after that method is ignored.

The service token must be from the same region in which you are creating the stack.

You can use this lambda function as custom resource in a AWS CloudFormation template along with other resources. This allows you to use a single template to create all type of configuration parameters in AWS parameter store and other necessary resources. Best practice is to automate all the deployments using AWS CloudFormation. Though CloudFormation doesn’t support creating a few of the resources, it does provide powerful extension using AWS lambda backed custom resources.

This post aimed to provide solution to automate secure string type parameter in AWS System Manager Parameter Store via AWS CloudFormation.