Which solution will meet these requirements in the MOST secure way?
Put the sensitive data into a CloudFormation parameter. Encrypt the CloudFormation templates by using an AWS Key Management Service (AWS KMS) key.
Put the sensitive data into an Amazon S3 bucket. Update the CloudFormation templates to download the object from Amazon S3 during bootstrap.
Put the sensitive data into AWS Systems Manager Parameter Store as a secure string parameter. Update the CloudFormation templates to use dynamic references to specify template values.
Put the sensitive data into Amazon Elastic File System (Amazon EFS). Enforce EFS encryption after file system creation. Update the CloudFormation templates to retrieve data from Amazon EFS.
Explanations:
Storing sensitive data in CloudFormation parameters is not recommended because parameters are stored in plaintext and can be exposed in various ways, including in the CloudFormation console and CloudTrail logs. Encrypting the templates with AWS KMS does not secure the sensitive data during execution or bootstrap.
While storing sensitive data in an Amazon S3 bucket could be a viable option, it poses risks related to data exposure if the bucket is not properly secured. Additionally, downloading sensitive data during bootstrap can still expose it in logs or to unauthorized users unless additional precautions, like encryption and IAM permissions, are implemented.
AWS Systems Manager Parameter Store allows for secure storage of sensitive data as secure string parameters, which are encrypted. Using dynamic references in CloudFormation templates allows the application to retrieve these values securely at runtime without exposing them in the templates, thus providing a robust solution for managing sensitive information.
Storing sensitive data in Amazon EFS is not ideal for bootstrap scripts because accessing EFS adds complexity and potential performance overhead during instance bootstrapping. Moreover, while EFS can be encrypted, it does not inherently provide a secure method for passing sensitive data to scripts without additional measures.
I estimate that the answer is:
Put the sensitive data into AWS Systems Manager Parameter Store as a secure string parameter. Update the CloudFormation templates to use dynamic references to specify template values.