AWS SSM Parameter Store with CloudFormation

4
votes

From the CFN docs I can see that I can create an AWS::SSM::Parameter. I also see how I can create a KMS Master Key.

However the type parameter on the SSM:Parameter in the doc page does not list the secure string type.

Is there a way that I can do the following in a cloudformation template:

1) create KMS Key
2) use KMS key to encrypt a param
3) pull that param in User-Data for an EC2 instance

I will be running the CFN template from a Jenkins job with the value of the param in a jenkins password parameter. I can also set "NoEcho": true on the template's parameter so it's not echoed in the CloudFormation console.

2
amazon-web-servicesjenkinsamazon-ec2aws-kmsamazon-cloudformation

2 Answers

1
votes

Support for this has been added so you no longer need to use a custom resource. You have to use a dynamic reference to a secure parameter.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

Using this feature you can use add {{resolve:ssm-secure:parameter-name:version}} to your user data within a Fn::Join CF intrinsic.

As of April 2019 secure strings are not available as a parameter type in cloudformation templates however the documentation states that CloudFormation will support the Parameter Store ‘SecureString’ type in a later release.

https://aws.amazon.com/blogs/mt/integrating-aws-cloudformation-with-aws-systems-manager-parameter-store/

0
votes

There seems to be a way to use a custom resource to do this. In combination with a lambda function.