Amazon Web Services Parameter Store

AWS Parameter Store is not a LaSalle Software Feature!


The Amazon Web Services Parameter Store is not a LaSalle Software feature. So what is it doing here in my docs?

The reason: precisely due to its being an independent place to store your APP_KEY!

You need to store your APP_KEY somewhere besides in your .env environment file.

The APP_KEY is used to encrypt your encrypted database fields. Which means that your APP_KEY is used to decrypt these same fields. No APP_KEY means no decryption, meaning cannot read the encrypted string, meaning data is lost. See my Re-Encrytping Encrypted Fields With A New APP_KEY feature.

Lost APP_KEY = lost data.

At the time of this writing, there is only one encrypted database field: the comments field of the websites database table.

So it's pretty handy to have your APP_KEYs stored somewhere. Absolutely do not commit your .env to your repositories! Don't have them lying around on your local computers/devices. Store your APP_KEYs in a special area, away from prying eyes, and physcially apart from your day-to-day endeavours. Of course, I'm thinking of storing them in the cloud.

The only cloud provider I use for my application development is AWS. So, naturally, I'm going recommend AWS. But, is there an AWS service that suits our purposes? Yes, there is: the AWS Parameter Store service.

Warning


I am suggesting here to use the AWS Parameter Store feature for a use case for which it is not designed - probably! So be very careful!

I am suggesting here that you store your APP_KEY's value verbatim, in AWS Parameter Store.

The AWS Parameter Store's user guide states: "Do not store sensitive data in a String or StringList parameter. For all sensitive data that must remain encrypted, use only the SecureString parameter type".

However, in order to copy the store APP_KEY value into your .env file, you need the APP_KEY's value stored as-is. Which is why I am suggesting you store it verbatim.

I need to store my own APP_KEY somewhere as a hedge against losing the data in my encrypted database fields. For me, this "somewhere" is in the AWS Parameter Store.

I assume that maintaining a separate AWS account solely for the purpose of using Parameter Store, not referencing individual parameters in the Parameter Store in anything you do, maintaining Best Practices for access to your AWS account, using the console only, and not having anything in IAM reference the parameter store, is sufficient for security. I could be wrong about these assumptions.

You have to do what is appropriate for your unique situation.

Storing an APP_KEY


Here is the AWS Parameter Store description:


The AWS Parameter Store pricing page says that "AWS Systems Manager Parameter Store consists of standard and advanced parameters. Standard parameters are available at no additional charge.":


To set a parameter store, log into your AWS console and click into "Systems Manager". Then click "Parameter Store":


If you see the welcome page, click "Create parameter":


Fill in the boxes. Ensure that "Standard" and "String" are selected. "Data type" is "text". Tags are optional:


Now you have your APP_KEY saved in the Parameter Store: