Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Different Ways of Passing Parameters Securely in CloudFormation

Home » AWS » Different Ways of Passing Parameters Securely in CloudFormation

Different Ways of Passing Parameters Securely in CloudFormation

Last updated on April 27, 2023

Introduction

When writing CloudFormation templates, it’s a security best practice to avoid hardcoding sensitive info, like client secrets, API keys, or passwords. Sharing templates with hardcoded details by mistake can put your infrastructure and data at risk. In this article, we’ll explore different secure methods to pass parameters in CloudFormation templates.

Using the NoEcho Attribute

To avoid hardcoding parameters in your template, you can define them during stack creation using the Parameters section. However, these values will still be visible in plaintext in the Console. To mask critical data, consider using the NoEcho attribute. The NoEcho attribute offers a simple yet effective way to securely pass sensitive parameters to a CloudFormation template.

Different Ways of Passing Parameters Securely in CloudFormation

When you set the NoEcho attribute to true, CloudFormation will redact the parameter value by displaying asterisks (***) in the Console or any API responses. This ensures that the value remains hidden from anyone with access to DescribeStacks* permissions.

Different Ways of Passing Parameters Securely in CloudFormation

Cons:

  • CloudFormation does not mask information included in the Metadata and Outputs sections.
  • NoEcho does not encrypt the parameter value or protect it from being accessed by someone with permission to access the CloudFormation stack.
Tutorials dojo strip

Using Dynamic References

The most recommended way of passing sensitive parameters to a CloudFormation template is through Dynamic references. Instead of specifying sensitive info during stack creation, you may opt to store them first in AWS Secrets Manager or Systems Manager Parameter Store. Then you can use a dynamic reference so CloudFormation can retrieve and resolve them at runtime.

A dynamic reference is enclosed by curly brackets and starts with the ‘resolve’ keyword, followed by the service name and an associated key name for the parameter. Optionally, you may specify the particular version of the parameter as well. This is helpful when you intend to modify parameter values, such as updating API keys or rotating secrets. CloudFormation is not aware of any changes done to the actual parameter. Thus, you also need to manually update your template with the new reference key version and then perform a stack update operation.

CloudFormation supports the following reference key names:

  1. ssm (plaintext values stored in SSM Parameter Store)
    • {{resolve:ssm:parameter-name:version}}
    • ideal for non-sensitive application configuration data such as endpoints, user 
  2. ssm-secure (secure strings stored in SSM Parameter Store)
    • {{resolve:ssm:parameter-name:version}}
    • ideal for non-sensitive application configuration data such as Oauth secrets, API keys, license codes
  3. secretsmanager (secret values stored in Secrets Manager.)
    • {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}
    • ideal for database credentials

How to use dynamic reference?

Here’s a common pattern of how you use dynamic reference when creating CloudFormation stacks.

Let’s say you are building a stack for an application that is made up of a Lambda function and an RDS database. To protect the database credentials from being exposed, you wouldn’t store them in plain text in the template, function code, or the function’s environment variables. Instead, you can store the credentials as a secret in AWS Secrets Manager and then reference it in your template via the built-in secretsmanager reference key.

Different Ways of Passing Parameters Securely in CloudFormation

You can pass the secret name (in this example, “DBcreds”) as an environment variable to the Lambda function.

Different Ways of Passing Parameters Securely in CloudFormation

The Lambda function can then retrieve the secret value from AWS Secrets Manager at runtime using the GetSecretValue API.

Different Ways of Passing Parameters Securely in CloudFormation

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Carlo Acebedo

Carlo is a cloud engineer and a content creator at Tutorials Dojo. He's also a member of the AWS Community builder and holds 5 AWS Certifications. Carlo specializes in building and automating solutions in the Amazon Web Services Cloud.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?