How AWS SSM Parameter Store Replaced HashiCorp Vault in our Client's Infrastructure
Oleksandr Abharian
Scaling eCommerce on AWS | AWS Retail Competency | Founder & CEO of IT-Magic - AWS Advanced Consulting Partner | Helping eCommerce Brands Scale, Cut Costs & Handle Peak Traffic on AWS
Today I’d like to tell you about a good alternative to HashiCorp Vault offered by Amazon Web Services that the IT-Magic team uses in projects and receives positive feedback about. As usual, I will use a real case for it.?
??Client's request
Our client requested an AWS infrastructure from scratch that had to be compliant with the PCI DSS standard.
??Our solution
The IT-Magic team designed and implemented a cost-efficient and stable AWS infrastructure as the client had requested. Since their service used a lot of secrets and sensitive information, we also used a special service for the management of this data called HashiCorp Vault.?
The client built their product from scratch, so the developers implemented our infrastructure solutions gradually on their end and HashiCorp Vault was one of the last services they were going to integrate into their code. By that time, we had already tried another service for storing sensitive data provided by Amazon called AWS Systems Manager Parameter Store.?
Although HashiCorp Vault is often used to securely store variables, it can become your critical place in the infrastructure due to some difficulties in its maintenance. If HashiCorp Vault is configured incorrectly and doesn’t have additional backups with the right setup you can lose your data. That is, Vault requires good skills to keep it up-to-date and provide timely support. This is the reason why AWS SSM Parameter Store is a good native AWS alternative to the complicated third-party service like HashiCorp Vault. It is more secure than HashiCorp Vault and doesn’t require constant support from the team as the responsibility for its updates and maintenance lies on AWS solely.
Based on the feedback from other clients, we decided to present AWS SSM Parameter Store to this customer as well. The client’s application ran in Java containers and Java worked with variables from AWS SSM Parameter Store very well through various connectors and plugins available for that. So, the system showed good and stable performance with the integrated AWS Systems Manager Parameter Store and the development team liked it a lot.?
As a result, we replaced HashiCorp Vault with AWS SSM Parameter Store. This increased the security of the system and made the work of the development team much easier. The application passed the PCI DSS audit and got the compliance certificate.
??Benefits gained by the client:
领英推荐
??General advantages of AWS SSM Parameter Store?
AWS SSM Parameter Store can be used almost everywhere (in your code, in Terraform, and in CI). It is not necessary, for example, to store variables in GitLab, Jenkins, Bitbucket, Github, etc. You can pull them directly from your AWS account.?
In addition, AWS SSM Parameter Store has an Amazon API with the help of which you can pull variables to the storage very easily with no extra effort from developers. Of course, they can fix these variables manually if needed. In general, the whole process is very convenient for programmers.
You can also copy variables through Boto3. It also opens up a lot of opportunities for working with AWS SSM Parameter Store.
We at IT-Magic used to utilize different options before: Amazon S3 buckets, AWS Secrets Manager, or Vault.? Now, if a client doesn’t ask for any specific storage, we use AWS Systems Manager Parameter Store by default.?
Read more about it here: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html??
If you have any related questions or you’re interested in the implementation of AWS SSM Parameter Store into your AWS infrastructure, message me and we will discuss it in detail.
DevOps Engineer | AWS Community Builder | Instructor | AWS UG Armenia Core Team Member
1 年I love this! I was just doing some research about Vault and AWS Secrets Manager. Then, as my secrets don't need rotations, I decided to use SSM Parameter Store, plus Your recommendations. Very nice article!