AWS Parameter store Secure String

Question

I have executed PutParameter using .net AWS SDK like so:

 using (var client =
                new AmazonSimpleSystemsManagementClient(_key, _secret, _region))
            {
      await client.PutParameterAsync(new PutParameterRequest
                        {
                            Name = "MyBlah",
                            Overwrite = true,
                            KeyId = keyId,
                            Value = "Blah",
                            Type = ParameterType.SecureString
                        });
    }

I can see my data in the console.

However, when i click on 'show' i can see the value plaintext:

How can i hide this from users but still let them see that there is a value there?

Answer 1

Overview

To be able to read the value of a Parameter, the users needs access to the following access ssm:GetParameters (as well as Decrypt access on the encrypting KMS key, by default aws/ssm).

Avoiding Permission

If you are using Least Privilege to grant access to your users, ensure that they aren't given access to the ssm:GetParameters action.

Denying Permission

Although Least Privilege is recommended in many places, most example permissions are overly permissive. If you can't avoid giving a permission, you can add an explicit Deny to any users you don't want retrieving the values.

The following policy, if attached to a User/Role should block access to reading the value of a parameter.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Action": "ssm:GetParameters",
    "Resource": "*"
  }]
}

Deny Decryption

Since viewing a SecureString depends on decrypting using KMS, you can also deny decryption:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Action": "kms:Decrypt",
    "Resource": "[key arn]"
  }]
}

where you replace [key arn] with the KMS Key, or * to block decryption with any keys.