From the CFN docs I can see that I can create an AWS::SSM::Parameter. I also see how I can create a KMS Master Key.
However the type parameter on the SSM:Parameter in the doc page does not list the secure string type.
Is there a way that I can do the following in a cloudformation template:
1) create KMS Key
2) use KMS key to encrypt a param
3) pull that param in User-Data for an EC2 instance
I will be running the CFN template from a Jenkins job with the value of the param in a jenkins password parameter. I can also set "NoEcho": true on the template's parameter so it's not echoed in the CloudFormation console.
There seems to be a way to use a custom resource to do this. In combination with a lambda function.