Open nishant-dani opened 6 years ago
"We can't really pass an encrypted version to the MasterPassword in the DBCluster template definition, because the DB (say AuroraDB) won't know its supposed to decrypt it."
If need to pass a value to something that isn't expecting encrypted input, you are going to have to decrypt it first. If you are interested in RDS specifically, you may wish to check out the recently announced AWS Secrets Manager (I haven't actually used it myself so I'm not entirely sure its what you are looking for here)
"In the second case we are also passing it in the clear to the lambda function, so it will be clear on the wire."
It won't be passed in the clear, it will be encrypted in transit just like any other API call would be.
"I might be missing something about what exactly the encrypt will protect against."
It's meant to encrypt values at rest. e.g. I used to embed metadata in templates that got used by a dynamic inventory script for Ansible, but I didn't want the plaintext values exposed when describing the associated stack resource so I used this to encrypt the metadata values. What that being said, this solution is fairly dated at this point, and there are likely better options available for your use case that weren't available when this was written. e.g. I now typically use a custom resource that stores values as a SecureString in Systems Manager Parameter store.
I am a bit confused about the Fn::GetAt usage within the CloudFormation script. This is apparently done to retrieve an encrypted version of the key so that the encrypted version can be passed to an AWS API. There are two issues here that I am not able to figure out: 1) We can't really pass an encrypted version to the MasterPassword in the DBCluster template definition, because the DB (say AuroraDB) won't know its supposed to decrypt it. So in this case we are forced to pass it in the clear (PlainText). So internally the cloudformation will be creating the DBCluster with the plainText value. 2) In the second case we are also passing it in the clear to the lambda function, so it will be clear on the wire. I might be missing something about what exactly the encrypt will protect against.