Menu
I have executed PutParameter using .net AWS SDK like so:
using (var client =
new AmazonSimpleSystemsManagementClient(_key, _secret, _region))
{
await client.PutParameterAsync(new PutParameterRequest
{
Name = "MyBlah",
Overwrite = true,
KeyId = keyId,
Value = "Blah",
Type = ParameterType.SecureString
});
}
I can see my data in the console.
However, when i click on 'show' i can see the value plaintext:
How can i hide this from users but still let them see that there is a value there?
879
Overview
To be able to read the value of a Parameter, the users needs access to the following access ssm:GetParameters (as well as Decrypt access on the encrypting KMS key, by default aws/ssm).
Avoiding Permission
If you are using Least Privilege to grant access to your users, ensure that they aren't given access to the ssm:GetParameters action.
Denying Permission
Although Least Privilege is recommended in many places, most example permissions are overly permissive. If you can't avoid giving a permission, you can add an explicit Deny to any users you don't want retrieving the values.
The following policy, if attached to a User/Role should block access to reading the value of a parameter.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ssm:GetParameters",
"Resource": "*"
}]
}
Deny Decryption
Since viewing a SecureString depends on decrypting using KMS, you can also deny decryption:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "kms:Decrypt",
"Resource": "[key arn]"
}]
}
where you replace [key arn] with the KMS Key, or * to block decryption with any keys.
200
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
