CloudFormation Secrets

5
votes

I would like to stick to a policy of "all infrastructure is code". However, I can't see a way to do that for secrets with CloudFormation.

SecretsManager requires that you specify the SecretString in plain text. Even if you inject a decrypted value from somewhere, the plain text string shows up in the CF console in the template view :/

It is also impossible to use encrypted strings in SSM. The docs say, "AWS CloudFormation doesn't support creating a SecureString parameter type."

Is there really no way to use CloudFormation to securely manage secrets as code?

1
amazon-cloudformationaws-secrets-manageraws-ssm

1 Answers

4
votes

You can use the Secret resource in CloudFormation to create SecretsManager secrets. There is a way to generate a value in the SecretString (which uses the GenerateRandomPassword API). Look at the GenerateSecretString property.

That should help you with generating a password without hardcoding it in a template.

There is also a RotationSchedule resource to help you set up automatic rotation for your secret.

To use the secret values stored in a SecretsManager secret or Parameter Store paramter, use dynamic references. Dynamic refs guarantee that the secret value is not logged in CFN or displayed in the console.

There is no way to create/generate a SecureString parameter in Parameter Store/Systems Manager currently.