Reputation: 124804
AWS SSM parameter store reliability
I am looking at using AWS SSM Parameter Store to store secrets such as database connection strings for applications deployed on EC2, Elastic Beanstalk, Fargate docker containers etc).
The linked document states that the service is Highly scalable, available, and durable, but I can't find more details on what exactly that means. For example, is it replicated across all regions?
Is it best to:
a) read secrets from the parameter store at application startup (i.e. rely on it being highly available and scalable, even if, say, another region has gone down)?
or
b) read and store secrets locally when the application is deployed? Arguably less secure, but it means that any unavailability of the Parameter Store service would only impact deployment of new versions.
Upvotes: 2
Views: 2811
Answers (2)
Reputation: 123
Just checked the unthrottled throughput of SSM. It is not in the spec, but it is ca. 50req/s.
Upvotes: 0
Reputation: 2184
If you want to go with the parameter store go with your option a. And fail the app if get parameter call failed. (This happens, I have seen rate limiting happening for Parameter Store API requests) See here.
Or
The best option is AWS secrets manager. Secrets manager is a superset of the parameter store. It supports RDS password rotation and many more. Also its paid.
Upvotes: 1
Related Questions
- Parameter store vs AppConfig
- Using SSM Parameter store in AWS Elastic Beanstalk
- aws cli describe-parameters ( SSM )
- How do you manage SSM params that don't change with AWS accounts/envs
- AWS SSM Parameters Store
- Python/AWS Parameter Store: updated SSM values
- Reliability of AWS SNS delivery to AWS Lambda
- amazon web services - Durability
- AWS Parameter store Secure String
- High reliability of a web service