Section Based: Category: SEC – Data Protection

[fip]

An organization uses several EC2 instances to manage and push the regular updates to a fleet of 3,000 Internet of Things (IoT) field devices that monitor the city’s air quality. Each IoT device has unique access credentials used to communicate to the instances. The Security Engineer has been instructed to ensure that access to specific credentials are independently auditable.

What is the MOST cost-effective way to manage the storage of credentials?

The answer to the question is flagged as:
Store the credentials in AWS Systems Manager Parameter Store as standard parameters.

Just looking for information how this is the correct answer when it doesn’t mention using “secure string” parameters and therefore I would assume the default option of “string” would be used to hold these access credentials?

[Irene-TutorialsDojo]

Hi fip,

Thank you for raising this concern. When storing sensitive information such as IoT credentials in AWS Systems Manager Parameter Store, the correct approach is to use SecureString parameters, not plain String. A SecureString automatically encrypts the data using AWS Key Management Service (KMS) and ensures that credentials remain secure while still being fully auditable through AWS CloudTrail. The mention of “standard parameters” in the explanation refers to the free Standard tier, which supports SecureString without any extra cost. This makes it both secure and cost-effective compared to alternatives like AWS Secrets Manager, which adds more features such as rotation but at a higher cost.

In short, the credentials should be stored as SecureString standard parameters in Parameter Store. This way, the organization meets both the security requirement (encrypted and protected) and the audit requirement (independent tracking of access), while keeping costs minimal.

If you have further questions or need additional clarification, please don’t hesitate to contact us.

Best,

Irene @ Tutorials Dojo