What option securely provides the application with the needed credentials while requiring MINIMAL administrative overhead?
Pass the credentials for the target environment to the CloudFormation template as parameters. Use the user data script to insert the parameterized credentials into the EC2 instances.
Store the credentials as secure strings in AWS Systems Manager Parameter Store. Pass an environment tag as a parameter to the CloudFormation template. Use the user data script to insert the environment tag in the EC2 instances. Access the credentials from the application.
Create a separate CloudFormation template for each environment. In the Resources section, include a user data script for each EC2 instance. Use the user data script to insert the proper credentials for the environment into the EC2 instances.
Create separate Amazon Machine Images (AMIs) with the required credentials for each environment. Pass the environment tag as a parameter to the CloudFormation template. In the Mappings section of the CloudFormation template, map the environment tag to the proper AMI, then use that AMI when launching the EC2 instances.
Explanations:
Passing credentials as parameters in the CloudFormation template and using user data to insert them into EC2 instances is not secure. Credentials in plaintext in the CloudFormation template or user data can be easily accessed and compromised.
Storing credentials in AWS Systems Manager Parameter Store as secure strings ensures that credentials are encrypted and accessed securely. The environment tag can be used to manage different credentials for different environments with minimal administrative overhead.
Creating separate CloudFormation templates for each environment with embedded user data scripts for credentials introduces unnecessary complexity and administrative overhead. Additionally, embedding credentials in the template is not a secure practice.
Creating separate AMIs with embedded credentials is not ideal, as it introduces management complexity. Each environment requires its own AMI, which increases the administrative overhead and makes updates to credentials difficult.