AWS Management Tools

Default Host Management Configuration on AWS Systems Manager

4 min read
Updated June 23, 2025
5,187 characters

--

Method 1: The NoEcho Attribute

The simplest way to prevent a parameter from being displayed in plain text is to use the NoEcho property.

  • How it works: When you set the NoEcho property of a parameter to true, CloudFormation masks the value with asterisks (****) in the AWS Management Console, logs, and API outputs (like the aws cloudformation describe-stacks command).

  • Use Case: This is suitable for preventing accidental "over-the-shoulder" exposure of sensitive values during manual stack creation or for cleaning up console logs.

  • Limitation: This is obfuscation, not encryption. It does not protect the parameter value from anyone with IAM permissions to access the stack's details. It should not be solely relied upon for highly sensitive secrets.

Example

In this example, the DBPassword parameter will be masked wherever it is displayed.


Parameters:

  DBPassword:

    Type: String

    Description: The password for the database.

    NoEcho: true



Resources:

  MyDB:

    Type: AWS::RDS::DBInstance

    Properties:

      MasterUserPassword: !Ref DBPassword

      # ... other properties

Dynamic references are the most secure and recommended way to handle secrets. Instead of passing a secret value into the stack, this method allows CloudFormation to fetch the value directly from a secure, managed store at deployment time. The secret itself never passes through the CloudFormation service.

Dynamic references use the syntax {{resolve:service:reference-key}}.

Using AWS Systems Manager (SSM) Parameter Store

SSM Parameter Store is an excellent choice for storing application configuration data and secrets.

  • For Plaintext Values: Use the ssm key for non-sensitive configuration data like endpoints or public AMI IDs.

    • Syntax: {{resolve:ssm:parameter-name:version}}

  • For Encrypted Values: Use the ssm-secure key for sensitive data stored as a SecureString in Parameter Store. The value is encrypted at rest using AWS KMS.

    • Syntax: {{resolve:ssm-secure:parameter-name:version}}

Example (SSM Secure String)

First, store your secret in Parameter Store as a SecureString. Then, reference it in your template.


# In this example, an API key is stored in SSM Parameter Store

# under the name /my-app/api-key



Resources:

  MyLambdaFunction:

    Type: AWS::Lambda::Function

    Properties:

      # ... other properties

      Environment:

        Variables:

          API_KEY: '{{resolve:ssm-secure:/my-app/api-key:1}}' # Fetches version 1 of the secret

Using AWS Secrets Manager

AWS Secrets Manager is the ideal service for managing credentials that require lifecycle management, such as automatic rotation. It is the best choice for database passwords.

  • How it works: You store your secret in Secrets Manager, which can automatically rotate credentials for supported services like Amazon RDS. CloudFormation then fetches the secret using a dynamic reference.

  • Syntax: {{resolve:secretsmanager:secret-id:secret-string:json-key:version-stage:version-id}}

Example (Secrets Manager)

This is a common and secure pattern for providing a Lambda function with database credentials.

  1. Store Credentials: First, store your database credentials (username, password, host, etc.) as a secret in AWS Secrets Manager.

  2. Reference in Template: In your CloudFormation template, use a dynamic reference to fetch the full secret JSON or a specific key from it.

    
Resources:

  MyDatabase:

    Type: AWS::RDS::DBInstance

    Properties:

      MasterUsername: '{{resolve:secretsmanager:my-db-creds:secret-string:username}}'

      MasterUserPassword: '{{resolve:secretsmanager:my-db-creds:secret-string:password}}'

      # ... other properties



  MyLambdaFunction:

    Type: AWS::Lambda::Function

    Properties:

      # ... other properties

      Environment:

        Variables:

          # Best practice: Pass the secret's NAME or ARN to the function

          # The function code will then use the AWS SDK to retrieve the secret.

          DB_SECRET_NAME: 'my-db-creds'

  3. Retrieve in Application Code: The application code within the Lambda function then uses the AWS SDK to retrieve the secret by its name at runtime. This ensures the credentials are never exposed in environment variables.

Comparison and Recommendations

| Method | Best For | Security Level |

| :--- | :--- | :--- |

| NoEcho Property | Preventing casual observation of non-critical values. | Low (Obfuscation) |

| SSM Parameter Store | General configuration, API keys, license codes. | High (Encrypted at rest) |

| AWS Secrets Manager| Database credentials, secrets requiring automatic rotation. | Highest (Encrypted + Rotation) |

For maximum security, always prefer dynamic references with AWS Secrets Manager or SSM Parameter Store over the NoEcho property.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All