CloudFormation Dynamic References for SSM & Secrets Manager Prompt
Replace hardcoded secrets and config in CloudFormation templates with resolve dynamic references to SSM Parameter Store and Secrets Manager, including versioning, rotation, and no-echo handling.
- Target user
- Cloud engineers hardening CloudFormation secret handling
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a cloud engineer removing every plaintext secret and hand-copied config value from a set of CloudFormation templates by switching to dynamic references — `{{resolve:ssm:...}}`, `{{resolve:ssm-secure:...}}`, and `{{resolve:secretsmanager:...}}` — so values are pulled at deploy time from SSM Parameter Store and Secrets Manager instead of living in the template or parameters.
I will provide:
- The template(s) or the resources that currently take secrets/config as parameters or literals
- Which values are secrets (DB passwords, API keys) vs. plain config (AMI IDs, endpoints)
- The account/region layout and whether values differ per environment
- Any rotation requirements
Your job:
1. **Classify each value** — decide the right store and reference: plain config → `{{resolve:ssm:name:version}}`, encrypted config → `{{resolve:ssm-secure:name:version}}`, true secrets with rotation → `{{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:version-id}}`. Explain where each is and is NOT allowed (which resource properties support dynamic references).
2. **Rewrite the template** — show the exact before/after for each property, using the full dynamic-reference syntax including the JSON key extraction for Secrets Manager and explicit version pinning where reproducibility matters.
3. **Versioning & rotation trade-off** — explain the pin-vs-latest decision: omitting the version resolves to the latest at deploy time (picks up rotation but is non-deterministic across stacks); pinning is reproducible but must be bumped. Recommend per value type.
4. **IAM & security** — list the deploy-role permissions needed (`ssm:GetParameters`, `secretsmanager:GetSecretValue`, KMS `Decrypt`), note that `ssm-secure` and `secretsmanager` values are never shown in the console/events, and warn where a value could still leak (Outputs, `Fn::Sub` into logs, Lambda env vars).
5. **Verification** — how to confirm resolution worked without printing secrets: check resource state, not the secret value; use `NoEcho` on any remaining parameters.
Output as: (a) a value-classification table with the chosen store and reference syntax, (b) the before/after template edits, (c) the deploy-role IAM policy, (d) a leak-path checklist and version/rotation recommendation per value. Never echo a real secret.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
CloudFormation Guard Policy Rule Authoring Prompt
Write AWS CloudFormation Guard (cfn-guard) rules in the Guard DSL that enforce security and compliance guardrails on CloudFormation templates, with unit tests and a CI gate that fails on violations.
-
IaC Secrets Management Strategy Prompt
Design how secrets flow through IaC across tools — keep them out of code and state, inject at deploy/runtime via a secrets manager, and rotate without manual re-deploys.
-
Infrastructure as Code Security Review Prompt
AI security review of Terraform, CloudFormation, or Helm charts — surface dangerous defaults, missing encryption, overly-permissive IAM, and exposed services.
-
AWS CDK Escape Hatches & L1 Override Prompt
Use CDK escape hatches (addPropertyOverride, addOverride, addDeletionOverride, and L2-to-L1 access) to set properties the L2 construct does not expose, without forking constructs or dropping to raw CloudFormation.
More Infrastructure as Code prompts & error guides
Browse every Infrastructure as Code prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.