(no title)
shog_hn | 4 years ago
I have a few small feedback items:
- The AWS Account ID is not very well blanked out in your documentation. I can easily see what the actual digits are (under the red scratched out parts). - I realise English is not your first language, but there are many typos and mistakes in the documentation. Once you get a bit further on, it'll be worth sending it to someone to do an edit pass to clean it up a little :) - Some of the AWS terms are incorrectly written in documentation. For example 'SecureSecret' instead of 'SecureString'. - On the subject of secrets, would a better option not be to store a Secret using AWS Secrets Manager with the value you need to acquire? Also, I know you mention that the secret value is used and never stored, but how do we know that? If you have access to the secret via ARN and IAM policy, then in theory if your SaaS was compromised, the secret is still retrievable from the customer's account. How about using something like Vault to store secrets?
gizdan|4 years ago
You could do that, but you can also throw money in the bin. Secrets Managers is basically a paid for wrapper around SSM Parameter Store. Last I checked the only nice thing it had was automatic key rotation. The price for that ? 50cents per secret per month. That will add up pretty quick.
bradknowles|4 years ago
If Parameter Store goes down or suffers a huge slowdown, we’ll that’s just your problem.
If Secrets Manager goes down or suffers a huge slowdown, then you’ve got some recourse to support — and getting your money back.
Parameter Store is also a one-by-one thing per each and every secret you want to store, whereas Secrets Manager lets you store a whole bunch of components inside of one “secret”.
It’s your choice either way, but for me personally, I’d rather use a service that has an SLA.
igorzij|4 years ago
igorzij|4 years ago