Skip to main content

006 - Use AWS Parameter Store for Secrets

Date: 2020-07-01

Status

✅ Accepted

Context

There is a need to store infrastructure secrets securely in the PTTP programme. Typical examples of secrets include API keys to reference external services, and AWS account IDs.

Decision

Use AWS SSM Parameter Store. - Aligned with MoJ Security Guidance - Compatible with AWS services e.g. CodePipelines - The use of AWS Secrets Manager can easily be extended if required.

Alternative Considerations:

AWS Secrets Manager

AWS Secrets Manager has ability to automatically rotate secrets for AWS RDS access. AWS Secrets Manager has a higher cost than AWS SSM Parameter Store.

HashiCorp Vault

HashiCorp Vault is an open-source secret management solution. In order to use it we would have to host and manage an instance of the service ourselves. The cost of hosting, as well as the time to ensure data has appropriate backups, gives this service a high maintenance cost and overhead.

This page was last reviewed on 15 April 2024. It needs to be reviewed again on 15 October 2024 by the page owner #nvvs-devops .
This page was set to be reviewed before 15 October 2024 by the page owner #nvvs-devops. This might mean the content is out of date.