I suggest you, to use dynamodb for keeping config values, with this approach the values are easily readable from the console and validated. Through this, we can change the values if necessary the app will pick the new values. Sensitive values are stored with the help of KMS keys and it can only be decrypted using the ec2 role only.
If you add new properties to DEV dynamodb instance then that should be part of your code to env, then env properties can also be updated along with the env, and have a validation test to ensure that env has the same set of properties.