1
00:00:00,000 --> 00:00:02,980
<v Narrator>So let's talk about the AWS Parameter Store.</v>

2
00:00:02,980 --> 00:00:05,586
And so to me this is one of the most revolutionary service.

3
00:00:05,586 --> 00:00:08,338
It's underutilized by people and you should know about it

4
00:00:08,338 --> 00:00:10,700
because the exams starts asking questions.

5
00:00:10,700 --> 00:00:14,026
So it's a way to securely store your configuration

6
00:00:14,026 --> 00:00:15,322
and your secrets.

7
00:00:15,322 --> 00:00:19,365
Think as what the name indicates, it's a Parameter Store.

8
00:00:19,365 --> 00:00:21,639
You have the option to use something called seamless

9
00:00:21,639 --> 00:00:26,274
encryption, and so you can use KMS to basically encrypt any

10
00:00:26,274 --> 00:00:28,565
configuration you put in the Parameter Store.

11
00:00:28,565 --> 00:00:31,008
As such, Parameter Store is a really good way

12
00:00:31,008 --> 00:00:34,052
to put database passwords somewhere.

13
00:00:34,052 --> 00:00:36,186
It's Serverless so you don't have to measure any servers.

14
00:00:36,186 --> 00:00:37,019
It's scalable.

15
00:00:37,019 --> 00:00:38,934
You can have tens of thousands of parameters.

16
00:00:38,934 --> 00:00:40,261
It's durable.

17
00:00:40,261 --> 00:00:42,856
You don't need to worry about the parameters going away.

18
00:00:42,856 --> 00:00:45,201
It's free and there's a really easy SDK

19
00:00:45,201 --> 00:00:48,008
to use it as we'll see in the hands on lecture.

20
00:00:48,008 --> 00:00:50,263
On top of things, you're about to do version tracking

21
00:00:50,263 --> 00:00:52,468
of configurations and secrets, so if you erase

22
00:00:52,468 --> 00:00:55,416
a secret database password from a new one to an old one,

23
00:00:55,416 --> 00:00:56,974
you're still able to access for example,

24
00:00:56,974 --> 00:00:59,621
the old data base secrets which is really good.

25
00:00:59,621 --> 00:01:02,842
You can get all the configuration through IAM,

26
00:01:02,842 --> 00:01:04,464
and all the secrets are under a path.

27
00:01:04,464 --> 00:01:06,201
I'll show you what that means in the next slide.

28
00:01:06,201 --> 00:01:08,878
But so that means that using IAM, you can restrict who can

29
00:01:08,878 --> 00:01:11,110
view which database passwords and on top of it,

30
00:01:11,110 --> 00:01:13,870
because there is KMS integration, you also need to define

31
00:01:13,870 --> 00:01:17,483
KMS policies to allow someone to decrypt a secret.

32
00:01:17,483 --> 00:01:20,401
You can get notified of anything happening for example,

33
00:01:20,401 --> 00:01:22,862
secrets changing or parameters changing using

34
00:01:22,862 --> 00:01:24,473
the CloudWatch Events.

35
00:01:24,473 --> 00:01:27,852
And finally there is an integration with CloudFormation

36
00:01:27,852 --> 00:01:30,867
just in case you would need to have Parameter Store

37
00:01:30,867 --> 00:01:33,214
feed into your CloudFormation template.

38
00:01:33,214 --> 00:01:35,329
So here's what it looks like visually.

39
00:01:35,329 --> 00:01:37,498
Here's your application and it can be whatever you want.

40
00:01:37,498 --> 00:01:40,189
It could be EC2, it could be Linda, it could be your

41
00:01:40,189 --> 00:01:42,156
computer, it could be the CLI.

42
00:01:42,156 --> 00:01:44,282
And so it wants to interact with the Parameter Store.

43
00:01:44,282 --> 00:01:46,379
So it wants to retrieve parameters.

44
00:01:46,379 --> 00:01:49,899
So what we can do is that we can just use the SDK and say

45
00:01:49,899 --> 00:01:50,851
"Hey Parameter Store, I'd like to get

46
00:01:50,851 --> 00:01:52,885
a plain text configuration."

47
00:01:52,885 --> 00:01:54,717
Now what happens is that the Parameter Store will go

48
00:01:54,717 --> 00:01:57,798
and check with IAM that I have the right to access that

49
00:01:57,798 --> 00:01:59,401
parameter and the configuration.

50
00:01:59,401 --> 00:02:01,383
And so if it's plain text, just fine,

51
00:02:01,383 --> 00:02:03,009
it will just send it back.

52
00:02:03,009 --> 00:02:06,185
But the second use case is to use encrypted configuration.

53
00:02:06,185 --> 00:02:07,670
So likewise we will ask Parameter Store,

54
00:02:07,670 --> 00:02:10,188
"Hey, we want this encrypted configuration."

55
00:02:10,188 --> 00:02:12,450
It will check the IAM permissions that we have

56
00:02:12,450 --> 00:02:14,644
and if they are okay, it will also call the

57
00:02:14,644 --> 00:02:17,231
decryption service on KMS side.

58
00:02:17,231 --> 00:02:19,828
So KMS will be used to decrypt it and Parameter Store.

59
00:02:19,828 --> 00:02:23,614
If everything is fine, will send us back the configuration.

60
00:02:23,614 --> 00:02:26,046
And so that's pretty good because we don't need to directly

61
00:02:26,046 --> 00:02:29,593
interact with KMS to retrieve some encrypted data.

62
00:02:29,593 --> 00:02:32,621
We just interact with SSM and the decryption happens

63
00:02:32,621 --> 00:02:33,969
seamlessly for us.

64
00:02:33,969 --> 00:02:37,794
So it simplifies a little bit the work flow versus KMS.

65
00:02:37,794 --> 00:02:39,796
If there's a hierarchy, here's what the parameters look

66
00:02:39,796 --> 00:02:41,858
like, so for example, and your free to name it

67
00:02:41,858 --> 00:02:42,955
however you want.

68
00:02:42,955 --> 00:02:45,808
For example you have my department, and in my department

69
00:02:45,808 --> 00:02:46,978
you have my app.

70
00:02:46,978 --> 00:02:49,033
You have the dev environment and under dev you have the

71
00:02:49,033 --> 00:02:51,449
database url and the database password.

72
00:02:51,449 --> 00:02:53,889
We may have a prod environment under which you have

73
00:02:53,889 --> 00:02:55,800
a database url and database password,

74
00:02:55,800 --> 00:02:57,318
so they're the same hierarchy.

75
00:02:57,318 --> 00:02:59,189
But we can have other apps under my department

76
00:02:59,189 --> 00:03:00,899
and we could have other departments.

77
00:03:00,899 --> 00:03:03,739
So think of like a giant tree and you can organize

78
00:03:03,739 --> 00:03:05,229
that tree however you want.

79
00:03:05,229 --> 00:03:07,374
Some people have a department centrics, some people

80
00:03:07,374 --> 00:03:08,852
have a app centrics, some people have

81
00:03:08,852 --> 00:03:10,470
a environment centric.

82
00:03:10,470 --> 00:03:13,261
All that matters is that you define some kind of

83
00:03:13,261 --> 00:03:16,669
hierarchy and convention by how you define your parameters.

84
00:03:16,669 --> 00:03:17,966
So why do we do this?

85
00:03:17,966 --> 00:03:20,253
Well say we have a Dev Lambda Function and we want

86
00:03:20,253 --> 00:03:23,287
to get Dev Parameters then we would just use the

87
00:03:23,287 --> 00:03:26,020
GetParamaters or GetParametersByPath API.

88
00:03:26,020 --> 00:03:27,967
So just remember these two API's.

89
00:03:27,967 --> 00:03:30,611
And we would ask directly for the Dev Parameters.

90
00:03:30,611 --> 00:03:33,242
But if we had a Prod Lambda Function, it would

91
00:03:33,242 --> 00:03:36,146
automatically ask for the Prod Parameters.

92
00:03:36,146 --> 00:03:38,899
And so here we can see we can differentiate different

93
00:03:38,899 --> 00:03:40,330
parameters for different environments.

94
00:03:40,330 --> 00:03:43,083
Which is good because we have clear separation

95
00:03:43,083 --> 00:03:46,914
of duties and roles and et cetera, et cetera.

96
00:03:46,914 --> 00:03:49,296
So this is how easy that is, to be honest.

97
00:03:49,296 --> 00:03:52,047
You just need to remember that the stores are a hierarchy,

98
00:03:52,047 --> 00:03:55,122
that you get encrypted and plain texts parameters

99
00:03:55,122 --> 00:03:57,609
and that you have GetParametersByPath or GetParameters.

100
00:03:57,609 --> 00:03:58,442
That's it.

101
00:03:58,442 --> 00:04:00,159
We're just going to practice this in the next lecture,

102
00:04:00,159 --> 00:04:01,869
just so you get a much better idea of how it works

103
00:04:01,869 --> 00:04:03,952
because this is one of these services that you need

104
00:04:03,952 --> 00:04:05,842
to see how it works to get a better idea

105
00:04:05,842 --> 00:04:07,099
of how things go.

106
00:04:07,099 --> 00:04:09,227
But you'll see it's very easy and I find

107
00:04:09,227 --> 00:04:10,748
it incredibly useful.

108
00:04:10,748 --> 00:04:12,505
So see you in the next lecture.