What is the best way to securely store Constants and Parameters for the servers to use it on runtime?

Question

We're running a server on AWS that will be using a few constants. These constants may be details that are confidential like a few API tokens, Client secrets & even DB credentials. We have been saving these details in one of our files on the server itself (say Credentials.js). So,

What is the best possible way to store these Credentials and in a secure manner.
We were also planing to switch to AWS SSM parameter store. Is it worth considering it? It also provides KMS encryption to confidential parameters.
Even if we do switch to AWS SSM Parameter store, we will have to call them multiple times when we make requests to third-party application servers (as we'll need the API tokens for those apps). Does this justify the cost we'll pay for SSM (Considering we take Standard store with High throughput) ?

Also, Please let me know if there are there alternatives to securely store these Parameters.

Thanks.

Does AWS Secrets Manager provide what you need? - https://aws.amazon.com/secrets-manager/ I believe this is designed to store secrets that are used in your environment. — James Wilson, Jan 29 '21 at 10:43
SSM Param Store is free if you use standard tier. How many requests do you want to make? — Marcin, Jan 29 '21 at 11:01
Thanks @JamesWilson Comparing SSM Param Store and Secrets Manager, I believe Param store is a better option right? As it's free for a standard tier. — Raghav Mishra, Jan 29 '21 at 12:27
Hey @Marcin I may end up making 50000 API calls to SSM to extract the credentials. Thanks for your response. As compared to Secrets manager, I believe Param store is a better choice. What say? — Raghav Mishra, Jan 29 '21 at 12:29
Does this answer your question? [AWS System Manager Parameter Store vs Secrets Manager vs Environment Variation in Lambda, when to use which](https://stackoverflow.com/questions/63235425/aws-system-manager-parameter-store-vs-secrets-manager-vs-environment-variation-i) — mon, Jan 29 '21 at 20:54

mon · Answer 1 · 2021-01-30T02:30:14.800

Secret Manager

Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.

To get an overview how it look like, see AWS Secrets Manager: Store, Distribute, and Rotate Credentials Securely.

Cost

See Pricing. $0.40 USD per secret per month and $0.05 per 10,000 API calls.

Documents

Tutorials - Start here to get the ideas
secrets_getsecretvalue.js - Example to get secrets in JS
JS SDK for Secret Manager - Look further here to know the JS SDK
CreatSecretAPI - AWS API to create a secret for the detailed references

Create a secret via the AWS console or using SDK. See Creating a secret. A secret is a key/value pair where the value is in JSON format.

Alternatives

Hashicorp Vault

Lambda

Use a lambda which only accepts an access from those with a specific IAM role/permission attached to the IAM profile of an EC2 instance to run your app.

Others

Just Googling "parameter store for secret management" showed bunch of articles and how-to. Please do the research first.

Thanks @mon Just wanted to know, Can we consider SSM Parameter store to be a good alternative to The Secrets Manager? As Param Store is free for the standard tier and I'll only have to pay for the high throughput Per 10,000 API calls. Also, all the secrets is constants and we don't want them to be rotated, — Raghav Mishra, Jan 29 '21 at 12:42
Hi @RaghavMishra, it looks you are looking for acknowledgement that Parameter Store is for secret management. I suppose it would be better to open another question to discuss pros/cons of using parameter store for secret management. Secret Manager is purpose built for secret management and if you prefer not using it, perhaps this question may not be the right question. — mon, Jan 29 '21 at 20:23
@RaghavMishra, Parameter Store also can cost $0.05 per 10,000 Parameter Store API interactions if you need higher throughput. — mon, Jan 29 '21 at 21:23