1
00:00:00,260 --> 00:00:02,719
Okay, now let's talk about another service

2
00:00:02,719 --> 00:00:04,790
that I find really amazing in AWS

3
00:00:04,790 --> 00:00:06,030
and that I've used all the time

4
00:00:06,030 --> 00:00:08,109
while I was doing consulting on AWS,

5
00:00:08,109 --> 00:00:10,330
which is called the SSM Parameter Store.

6
00:00:10,330 --> 00:00:13,650
So this is to securely store your configuration and secrets

7
00:00:13,650 --> 00:00:18,540
in AWS and you can have optional encryption with KMS,

8
00:00:18,540 --> 00:00:21,990
so you can store your secrets, have them KMS encrypted

9
00:00:21,990 --> 00:00:24,970
directly from within the SSM Parameter Store.

10
00:00:24,970 --> 00:00:27,180
It is a serverless service, it's scalable, durable

11
00:00:27,180 --> 00:00:30,480
and the SDK is super easy to use so I would use it

12
00:00:30,480 --> 00:00:33,300
anytime you need to encrypt secrets, for example.

13
00:00:33,300 --> 00:00:36,350
You have versioning of your configuration and secrets.

14
00:00:36,350 --> 00:00:39,170
All your security for your configuration management

15
00:00:39,170 --> 00:00:41,840
is done using path and IAM policies.

16
00:00:41,840 --> 00:00:44,120
You can get notifications with CloudWatch Events,

17
00:00:44,120 --> 00:00:46,750
integration with CloudFormation to police parameters

18
00:00:46,750 --> 00:00:48,250
and so it's a very complete service

19
00:00:48,250 --> 00:00:49,370
as we'll see in the hands-on.

20
00:00:49,370 --> 00:00:52,640
So at the most of it's core, so we have the applications

21
00:00:52,640 --> 00:00:55,670
and they have, for example, a parameter stored

22
00:00:55,670 --> 00:00:57,250
in the Parameter Store so it could be

23
00:00:57,250 --> 00:00:59,430
a plain-text configuration in which case,

24
00:00:59,430 --> 00:01:02,680
if we request that configuration then the Parameter Store

25
00:01:02,680 --> 00:01:04,739
will check with IAM permissions to make sure

26
00:01:04,739 --> 00:01:08,350
that we can get them and then return them to us,

27
00:01:08,350 --> 00:01:11,140
or we can also ask for encrypted configurations,

28
00:01:11,140 --> 00:01:14,700
in which case the parameter Store will also ask with IAM

29
00:01:14,700 --> 00:01:17,370
but on top of it, check the KMS permissions

30
00:01:17,370 --> 00:01:20,620
and if so, call the decrypt API from the KMS service

31
00:01:20,620 --> 00:01:22,590
to give us our decrypted secret.

32
00:01:22,590 --> 00:01:25,520
So here is a way to store your parameters

33
00:01:25,520 --> 00:01:26,940
in your Parameter Store.

34
00:01:26,940 --> 00:01:28,160
So you can create a hierarchy.

35
00:01:28,160 --> 00:01:31,060
For example, my department underneath my app.

36
00:01:31,060 --> 00:01:34,630
Then your dev environments and then the name of your config,

37
00:01:34,630 --> 00:01:36,410
for example, the DB URL.

38
00:01:36,410 --> 00:01:38,880
Maybe another secret, the DB password

39
00:01:38,880 --> 00:01:40,920
and then maybe you have the dev environment

40
00:01:40,920 --> 00:01:43,090
so you would also have the prod environment

41
00:01:43,090 --> 00:01:48,030
with the same DB URL and DB password config and secrets.

42
00:01:48,030 --> 00:01:50,590
Then if you have another application then you could create

43
00:01:50,590 --> 00:01:52,320
another application in the hierarchy

44
00:01:52,320 --> 00:01:54,160
and another department and so on.

45
00:01:54,160 --> 00:01:56,870
So it's sort of like a folder structure that you know

46
00:01:56,870 --> 00:01:58,730
for example, like a file system.

47
00:01:58,730 --> 00:02:01,630
And then you're also able, using the Parameter Store,

48
00:02:01,630 --> 00:02:04,590
to reference secrets from the Secrets Manager as we'll see.

49
00:02:04,590 --> 00:02:06,520
And you're also able to reference parameters

50
00:02:06,520 --> 00:02:08,680
directly from AWS.

51
00:02:08,680 --> 00:02:10,850
For example, the last one here allows you

52
00:02:10,850 --> 00:02:13,320
to retrieve the latest AMI ID

53
00:02:13,320 --> 00:02:17,450
for Amazon Linux 2 from AWS, which is very handy.

54
00:02:17,450 --> 00:02:19,870
So if you ever learn the function and it wants to

55
00:02:19,870 --> 00:02:22,460
access your dev parameters, then you would set

56
00:02:22,460 --> 00:02:24,280
an environment variable and then you'll end the function

57
00:02:24,280 --> 00:02:25,800
with get your parameters

58
00:02:25,800 --> 00:02:28,280
or get them by path and retrieve them.

59
00:02:28,280 --> 00:02:30,050
And if you have a prod in the function

60
00:02:30,050 --> 00:02:31,360
with another environment variable

61
00:02:31,360 --> 00:02:35,070
then it would retrieve automatically the prod values

62
00:02:35,070 --> 00:02:37,620
and so this is how we could use, for example, lambda

63
00:02:37,620 --> 00:02:39,380
and the Parameter Store.

64
00:02:39,380 --> 00:02:43,300
So we have two tiers of parameters in the Parameter Store.

65
00:02:43,300 --> 00:02:46,120
We have the standard tier and the advanced tier

66
00:02:46,120 --> 00:02:48,280
and the standard tier is going to be free,

67
00:02:48,280 --> 00:02:50,060
advanced tier's going to be paid.

68
00:02:50,060 --> 00:02:51,290
And so, for the standard tier

69
00:02:51,290 --> 00:02:53,410
you have up to 10000 parameters per account,

70
00:02:53,410 --> 00:02:56,200
which is a large amount of parameters.

71
00:02:56,200 --> 00:02:58,390
The maximum size is four kilobytes

72
00:02:58,390 --> 00:03:00,330
and you don't have the parameters policies available,

73
00:03:00,330 --> 00:03:02,080
as we'll see in the next lecture.

74
00:03:02,080 --> 00:03:03,580
If you're using the advanced tier,

75
00:03:03,580 --> 00:03:06,270
then you get up to 100 thousand parameters.

76
00:03:06,270 --> 00:03:07,980
They can be up to eight kilobytes,

77
00:03:07,980 --> 00:03:10,000
you do get parameters policies

78
00:03:10,000 --> 00:03:12,710
and you do have to pay for your parameters.

79
00:03:12,710 --> 00:03:14,800
So I have a feeling the exam is going to ask you

80
00:03:14,800 --> 00:03:17,120
to choose between the standard and advanced tiers

81
00:03:17,120 --> 00:03:18,950
for Parameter Store but it's good to know

82
00:03:18,950 --> 00:03:21,313
as you when you go into the console.

83
00:03:22,500 --> 00:03:24,240
So what are these Parameters Policy?

84
00:03:24,240 --> 00:03:26,520
They're only for advanced parameters and they allow you,

85
00:03:26,520 --> 00:03:29,370
for example, to assign a TTL, so a Time to Live

86
00:03:29,370 --> 00:03:33,240
to a parameter, which effectively creates an expiration date

87
00:03:33,240 --> 00:03:36,660
and the idea behind this is to force updating or deleting

88
00:03:36,660 --> 00:03:39,630
sensitive data such as passwords in your Parameter Store.

89
00:03:39,630 --> 00:03:41,520
And you can assign multiple policies at a time.

90
00:03:41,520 --> 00:03:43,380
So here are three examples:

91
00:03:43,380 --> 00:03:46,580
The first one is the Expiration, to delete a parameter.

92
00:03:46,580 --> 00:03:48,960
So in this example, I'm going to say hey,

93
00:03:48,960 --> 00:03:52,970
my parameter expires in December 2020.

94
00:03:52,970 --> 00:03:54,580
Then we have an ExpirationNotification,

95
00:03:54,580 --> 00:03:56,910
so you're saying hey, this one,

96
00:03:56,910 --> 00:03:59,360
send me a notification through Cloud Watch Events

97
00:03:59,360 --> 00:04:02,900
15 days before the expiration happens.

98
00:04:02,900 --> 00:04:04,760
And here is a NoChangeNotification.

99
00:04:04,760 --> 00:04:07,680
So this is saying, if my parameter hasn't been changed

100
00:04:07,680 --> 00:04:10,440
in 20 days then send me a notification

101
00:04:10,440 --> 00:04:11,740
through CloudWatch Events.

102
00:04:11,740 --> 00:04:13,280
So this is the kind of policies you can attach

103
00:04:13,280 --> 00:04:16,750
to your advanced parameters to trigger some sort of

104
00:04:16,750 --> 00:04:20,829
automation and to force yourself to change them quite often.

105
00:04:20,829 --> 00:04:22,760
So that's it for the Parameter Store.

106
00:04:22,760 --> 00:04:23,950
I hope you liked it and in the next lecture

107
00:04:23,950 --> 00:04:26,873
we'll get some practice to make it a bit more real.