AWS Parameter Store

The External Secrets Inc. Audit & Compliance product suite is a premium product. It requires a specific subscription. Contact us for more information.

AWS Parameter Store Provider

The Audit Listener can be configured to receive audit logs from AWS Parameter Store by utilizing a SQS queue, Event Bridge and a Cloud Trail. The illustration below demonstrates the setup:

Required Permissions

To setup the Listener, the following permission must be assigned:

sqs:ReceiveMessage
sqs:DeleteMessage
ssm:GetParametersByPath
ssm:GetParameter
kms:Decrypt

The GetParameter, GetParametersByPath and Decrypt permissions are necessary for the listener to calculate duplicate entries.

Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SSMParameterReadAccess",
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParametersByPath"
      ],
      "Resource": "arn:aws:ssm:<REGION>:<ACCOUNT_ID>:parameter/*"
    },
    {
      "Sid": "KMSDecryptAccess",
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<YOUR_KEY_ID>"
    }
  ]
}

Configuring the Provider

Setting up the provider may require configuration of the authentication methods during the listener installation process.

Supported Authentication Methods

The Audit Listener supports the following AWS authentication methods:

Using a Access Key and Secret Access Key defined in the runtime.
Using an IAM role for tasks when using ECS task definition or the RunTask API operation.
Using an IAM role for Amazon EC2 when your is running on an EC2 instance.
Using IAM Role for Service Account when running on EKS.

Access Key and Secret Access Key

Setup with Kustomize

Create a patch file named aws-patch.yaml with the following content:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: audit-listener
spec:
  template:
    spec:
      containers:
      - name: audit-listener
        env:
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              name: access-key
              key: key
        - name: AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              name: secret-access
              key: secret

Setup with Helm

Add the following values to the helm install:

extraEnv:
  - name: AWS_ACCESS_KEY_ID
    valueFrom:
      secretKeyRef:
        name: access-key
        key: key
  - name: AWS_SECRET_ACCESS_KEY
    valueFrom:
      secretKeyRef:
        name: secret-access
        key: secret

Setup on Standalone VMs

Execute the following command using an account with appropriate privileges:systemd edit audit-listener.serviceThen, edit the file to include the necessary environment variables:

[Service]
Environment="AWS_ACCESS_KEY_ID=access-key"
Environment="AWS_SECRET_ACCESS_KEY=secret-key"

ECS Task Definition or RunTask API

Setup with Kustomize

This method is incompatible with Kubernetes installations.

Setup with Helm

This method is incompatible with Kubernetes installations.

Setup on Standalone VMs

No additional setup is required for authentication when using ECS task definition or the RunTask API operation

Running on an EC2 instance

Setup with Kustomize

Add the following aws-sa-patch.yaml to the kustomization file:

apiVersion: apps/v1
kind: ServiceAccount
metadata:
  name: audit-listener
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/audit-listener-role

        

Setup with Helm

Add the following values to the helm install:

serviceAccount:
  annotations:
    "eks.amazonaws.com/role-arn": arn:aws:iam::<account-id>:role/audit-listener-role

Setup on Standalone VMs

This authentication method is not supported for standalone installations.

IAM Role for Service Account on EKS

Setup with Kustomize

Create a patch file named aws-sa-patch.yaml with the following content:

  apiVersion: apps/v1
  kind: ServiceAccount
  metadata:
    name: audit-listener
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::<account_id>:role/audit-listener-role

Setup with Helm

Add the following values to the helm install:

serviceAccount:
  annotations:
    "eks.amazonaws.com/role-arn": arn:aws:iam::<account_id>:role/audit-listener-role

Setup on Standalone VMs

This authentication method is not supported for standalone installations.

Creating a new Provider

After completing the listener setup, you can create a new provider.

Navigate to the Dashboard.
Add a new provider:
- Select AWS_PARAMETER_STORE as the provider type.
- Specify the fields based on your installation:
  - Region: AWS region.
  - QueueURL: SQS queue endpoint URL.

Setting Up AWS

Create S3 Bucket that will be used to store Cloud Trail logs
Create a Trail on Cloud Trail
Create SQS queue that will be consumed by Audit Listener
Configure Event Bridge to route Parameter Store events to SQS

Create S3 Bucket

data "aws_caller_identity" "current" {}

resource "aws_s3_bucket" "ps_trail_bucket" {
  bucket = "ps-trail-bucket"
}

resource "aws_s3_bucket_policy" "s3_bucket_policy" {
  bucket = aws_s3_bucket.ps_trail_bucket.id
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [

      {
        Sid       = "AWSCloudTrailAclCheck",
        Effect    = "Allow",
        Principal = { Service = "cloudtrail.amazonaws.com" },
        Action    = "s3:GetBucketAcl",
        Resource  = aws_s3_bucket.ps_trail_bucket.arn
      },
      {
        Sid       = "AWSCloudTrailWrite",
        Effect    = "Allow",
        Principal = { Service = "cloudtrail.amazonaws.com" },
        Action    = "s3:PutObject",
        Resource  = "${aws_s3_bucket.ps_trail_bucket.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
      }
    ]
  })
}

Create Trail

resource "aws_cloudtrail" "cloud_trail" {
  name                          = "ps-trail"
  s3_bucket_name                = aws_s3_bucket.ps_trail_bucket.id
  include_global_service_events = true
  is_multi_region_trail         = true
  enable_log_file_validation    = true
}

Create SQS Queue

resource "aws_sqs_queue" "ps_events_queue" {
  name = "parameter_store_events"
}

data "aws_iam_policy_document" "policy" {
  statement {
    actions   = ["sqs:SendMessage"]
    resources = [aws_sqs_queue.ps_events_queue.arn]
    sid       = "AllowEventBridgeToSendMessages"
    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }
    condition {
      test     = "ArnEquals"
      variable = "aws:SourceArn"
      values   = [aws_cloudwatch_event_rule.ps_events_rule.arn]
    }
    effect = "Allow"
  }
}

resource "aws_sqs_queue_policy" "sqs_policy" {
  queue_url = aws_sqs_queue.ps_events_queue.id

  policy = data.aws_iam_policy_document.policy.json
}

Configure Event Bridge

resource "aws_cloudwatch_event_rule" "ps_events_rule" {
  name = "parameter-store-events-rule"

  event_pattern = jsonencode({
    source      = ["aws.ssm"],
    detail-type = ["AWS API Call via CloudTrail"],
    "detail" : {
      "eventSource" : ["ssm.amazonaws.com"]
    }
  })
  ## For GetSecretValue Logging
  state = "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"
}

resource "aws_cloudwatch_event_target" "sqs" {
  rule      = aws_cloudwatch_event_rule.ps_events_rule.name
  target_id = "SendToSQS"
  arn       = aws_sqs_queue.ps_events_queue.arn
}

Get Started

Get Started

Dashboard

Destinations

Policies

Listener

Aditional documentation