What is the MOST secure way to pass these credentials to the Lambda function?
Use a CloudFormation parameter to pass the master user credentials at deployment to the OpenSearch Service domain’s MasterUserOptions and the Lambda function’s environment variable. Set the NoEcho attribute to true.
Use a CloudFormation parameter to pass the master user credentials at deployment to the OpenSearch Service domain’s MasterUserOptions and to create a parameter in AWS Systems Manager Parameter Store. Set the NoEcho attribute to true. Create an IAM role that has the ssm:GetParameter permission. Assign the role to the Lambda function. Store the parameter name as the Lambda function’s environment variable. Resolve the parameter’s value at runtime.
Use a CloudFormation parameter to pass the master user credentials at deployment to the OpenSearch Service domain’s MasterUserOptions and the Lambda function’s environment variable. Encrypt the parameter’s value by using the AWS Key Management Service (AWS KMS) encrypt command.
Use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret’s value for the OpenSearch Service domain’s MasterUserOptions. Create an IAM role that has the secretsmanager:GetSecretValue permission. Assign the role to the Lambda function. Store the secret’s name as the Lambda function’s environment variable. Resolve the secret’s value at runtime.
Explanations:
Passing the master user credentials through CloudFormation parameters exposes them in plaintext, which is insecure. The NoEcho attribute only hides the value in CloudFormation logs, not in the Lambda function’s environment variable, making this approach less secure.
Using Systems Manager Parameter Store with the NoEcho attribute for securing the credentials is a good idea, but this approach requires a Lambda function IAM role with thessm:GetParameterpermission. This adds complexity and risks of misconfigured permissions. Also, using parameter store is not as secure as Secrets Manager for sensitive credentials.
Encrypting the parameter value using KMS is an improvement, but passing the credentials as a CloudFormation parameter still exposes them in plaintext to the Lambda function, reducing security. KMS encryption does not eliminate the need for careful handling of the parameter’s value.
Using AWS Secrets Manager to store credentials is the most secure option. Secrets Manager offers automatic rotation of secrets, access control, and encryption at rest. The Lambda function can securely retrieve the secret via IAM role permissions, making this the best practice for securely passing credentials.
Based on what I know, the answer is:
Use CloudFormation to create an AWS Secrets Manager secret. Use a CloudFormation dynamic reference to retrieve the secret’s value for the OpenSearch Service domain’s MasterUserOptions. Create an IAM role that has the secretsmanager:GetSecretValue permission. Assign the role to the Lambda function. Store the secret’s name as the Lambda function’s environment variable. Resolve the secret’s value at runtime.