HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

index aws-parameter-store

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Note

You must have version 0.17.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The index aws-parameter-store command is used for creating an index of secure strings in AWS Parameter Store.

Note

Only parameters of type SecureString are indexed as they are secure by definition.

Authentication

The index aws-parameter-store command needs permissions to read the parameter, its history and tags, see the following simplified policy document. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters",
                "ssm:GetParameterHistory",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}

See AWS Authentication for more information on how to authenticate with AWS.

Usage

Usage: vault-radar index aws-parameter-store [options]

Command options

  • --region, -r: Specifies the region of AWS Parameter Store to scan (required)
  • --outfile , -o: Specifies the file to store information about found secrets (required)
  • --disable-ui: Specifies that the scan summary should not be logged to stdout

HCP connection indexing behavior

Index commands require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across indexes. In order to populate the HCP connection information needed, refer to the HCP upload page.

Generate an index file

Index files are generated in an "online mode", meaning that the secret hash produced is using a salt that is provided from HCP. This requires the Project Service Principals to be configured for your system as outlined by the HCP upload page. To generate an index file using the SecureString parameters

$ vault-radar index aws-parameter-store \
    -r <REGION CODE> \
    -o <PATH TO OUTPUT>.jsonl

Consuming an index file

To consume the resulting index file use the index-file flag when calling a scan command. E.g.

$ vault-radar scan aws-s3 \
    --bucket <BUCKET NAME> \
    -r <REGION CODE> \
    -o <PATH TO OUTPUT>.csv \
    --index-file <PATH TO INDEX FILE>