I'm trying to understand why having parameters stored in AWS Parameter Store (SSM) encrypted using KMS is a better solution than saving parameters in .env file on a nginx server.
As far as the nginx server setup goes, .env file is not exposed to public hence it can't be viewed unless someone breaks into the server.
nginx config has public
folder set as a root
root /home/user/app/public;
Looked like the consensus was if someone manages to break into the server, they will be able to see all the parameters stored in .env file contents in plain text hence less secure than Parameter Store.
But isn't that the same for AWS Parameter Store? (Main question)
In the php file, the way I load parameters from the Parameter Store is using SSM Client.
e.g.
$client = new SsmClient([
'version' => 'latest',
'region' => 'us-west-2',
]);
$credentials = $client->getParameters([
'Names' => ['MY_KEY', 'MY_SECRET'],
'WithDecryption' => true
]);
$key = $credentials['Parameters'][0]['Value'];
$secret = $credentials['Parameters'][1]['Value'];
If someone breaks into the server, they will be able to perform these and retrieve any parameters.
So what makes SSM more secure than .env?
question from:
https://stackoverflow.com/questions/65660363/aws-parameter-store-vs-env-on-nginx 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…