Question #898
A developer is deploying a serverless application using AWS CloudFormation. The application requires an API key stored in AWS Systems Manager Parameter Store as a plaintext parameter. The developer needs to securely reference this API key within the CloudFormation template to configure the application during stack creation. Which method should the developer use to retrieve the API key from Parameter Store?
Use the SSM dynamic reference.
Use the GetAtt intrinsic function.
Use the Fn::ImportValue intrinsic function.
Use the SecretsManager dynamic reference.
Explanation
Answer A is correct because AWS CloudFormation's SSM dynamic reference (e.g., {{resolve:ssm:parameter-name:version}}) allows secure retrieval of values stored in SSM Parameter Store. This method ensures the API key remains encrypted and is only resolved during stack operations, avoiding exposure in the template.
Why other options are incorrect:
- B. GetAtt: The GetAtt intrinsic function retrieves attributes of resources created within the same template (e.g., an S3 bucket ARN), not external parameters like SSM values.
- C. Fn::ImportValue: This imports values exported by another CloudFormation stack, not parameters stored in SSM.
- D. SecretsManager: This dynamic reference retrieves secrets from AWS Secrets Manager, not SSM Parameter Store.
Key Points:
1. Use SSM dynamic references ({{resolve:ssm...}}) to securely fetch parameters from SSM Parameter Store.
2. Ensure the CloudFormation execution role has permissions to read the SSM parameter.
3. Dynamic references keep sensitive values encrypted and resolve them only during deployment.
Answer
The correct answer is: A