Ensure that all AWS Systems Manager (SSM) parameters that store sensitive information such as passwords, database strings and license codes are encrypted in order to meet security and compliance requirements. An encrypted SSM parameter (i.e. a configuration parameter with the type set to SecureString) is any sensitive data that needs to be stored and referenced in a secure manner. An encrypted SSM parameters can be used for the following scenarios:
When you need to use data/parameters across multiple AWS services without exposing the values as clear text in commands, functions, agent logs or CloudTrail logs.
When you want to control who has access to your sensitive configuration data.
When you want AWS-level encryption for your sensitive configuration data and you want to bring your own encryption keys (i.e. Amazon KMS CMKs) to manage access.
With encrypted AWS SSM parameters you can separate secrets and configuration data from code and common administration tasks while ensuring that only approved users have access to the protected parameter values Note: Only the value of the SSM parameter is encrypted. Parameter names, descriptions and other characteristics are not encrypted.
To determine if the SSM parameters that hold sensitive information are encrypted within your AWS account, perform the following actions:
To encrypt any existing AWS SSM parameters that store sensitive information, you need to re-create those parameters with the SecureString configuration type. To re-create the necessary Amazon SSM resources, perform the following: