Identity types

Secure Parameter

Diagram representing a glossary term in Oasis Security, illustrating key concepts in non human identity management

A secure parameter is a configurable value or setting used in an application, service, or system that has been designed and implemented with security considerations. Secure parameters aim to enforce security policies, protect sensitive data, and mitigate the risk of security vulnerabilities or attacks.

For example, in a web application, secure parameters may include configuration settings such as encryption keys, authentication tokens, or access control lists (ACLs) used to control access to resources. These parameters are securely managed and protected from unauthorized access or tampering.

In AWS, parameters come in two flavors: String and Secure String. The Secure String type encrypts the parameter value at rest, while the String type stores the value as plain text in AWS servers. However, it's worth noting that using Secure Parameters in AWS may not always align with security best practices, and AWS often recommends using services like Secrets Manager instead, which provide more advanced security features.

Secure parameters should be stored securely and accessed only by authorized users or applications. While Secure Parameters encrypt the value at rest, they lack certain security features like resource policies to limit access, making them less secure compared to other AWS services like Secrets Manager.

Parameterization is a common technique used to ensure that sensitive values are not hard-coded within application code or configuration files, reducing the risk of exposure to attackers. Instead, secure parameters are passed to the application at runtime or retrieved from secure storage locations.

By using secure parameters, organizations can reduce the attack surface, enforce security policies, and protect sensitive data from unauthorized access or disclosure. However, it's essential to consider the security features and recommendations provided by the cloud platform being used.