Question #567
A developer is deploying a microservice on Amazon Elastic Container Service (Amazon ECS). The service requires secure storage and retrieval of configuration parameters, including a database connection string, an external API endpoint URL, and feature toggle settings. The database connection string is sensitive, while the API URL and feature toggles are non-sensitive but must be consistent across all current and future deployments in development, staging, and production environments. The solution must minimize changes to the application code.
How should the developer retrieve these parameters with the LEAST code modification?
Update the application to fetch parameters from AWS Systems Manager Parameter Store for the API URL and feature toggles. Store the database connection string in AWS Secrets Manager, using environment-specific paths for each parameter.
Update the application to retrieve all parameters using AWS Key Management Service (AWS KMS). Encrypt the API URL, feature toggles, and database connection string as separate keys per environment.
Store all parameters in an encrypted configuration file bundled with the application. Use environment-specific files for each deployment and decrypt them at runtime.
Define all parameters directly in the ECS task definition as environment variables. Encrypt sensitive values using AWS KMS and reference them dynamically during deployment.
Explanation
Option A is correct because:
1. Parameter Store is ideal for non-sensitive parameters (API URL, feature toggles) as it supports hierarchical paths (e.g., /dev/api-url, /prod/api-url), enabling environment-specific values without code changes.
2. Secrets Manager securely stores the sensitive database connection string, providing automatic encryption, rotation, and access control.
3. Both services integrate natively with ECS, allowing parameters to be injected via environment variables or referenced in task definitions, minimizing code modifications.
Other options are incorrect because:
- B: AWS KMS is not designed for parameter storage; it requires manual encryption/decryption logic, increasing code complexity.
- C: Bundling encrypted files introduces deployment overhead and requires code changes to handle decryption and environment-specific files.
- D: Storing all parameters in the task definition complicates environment management and requires redeployments for updates.
Key Points: Use Parameter Store for configuration data, Secrets Manager for secrets, and leverage environment paths for consistency.
Answer
The correct answer is: A