Skip to main content

SSM Parameter Store

Quick summary: Free, hierarchical config/secret store. No auto-rotation. Best for application configuration and lower-sensitivity secrets.

See also: Secrets Manager vs SSM Parameter Store for a detailed comparison.

๐Ÿ”ฐ What Is Parameter Store?โ€‹

Parameter Store is a centralized, hierarchical configuration management service. Think of it as a key-value store organized in folders โ€” like a filesystem for configuration.

Parameter Types & Tiersโ€‹

Typesโ€‹

TypeEncryptionUse CaseExample
StringNoneURLs, feature flags, configjdbc:mysql://db.example.com:3306/mydb
StringListNoneComma-separated valuesus-east-1,eu-west-1,ap-southeast-1
SecureStringKMS encryptedPasswords, API keysSuperSecret123!

Tiersโ€‹

FeatureStandardAdvanced
Max size4 KB8 KB
Max parameters10,000100,000
Parameter policiesโŒโœ… (expiration, notification)
Throughput40 TPS (default)Up to 10,000 TPS
CostFree$0.05/month per parameter
Higher throughputExtra chargeIncluded

Hierarchical Organizationโ€‹

/                              (root)
โ”œโ”€โ”€ prod/
โ”‚   โ”œโ”€โ”€ myapp/
โ”‚   โ”‚   โ”œโ”€โ”€ db-url             String
โ”‚   โ”‚   โ”œโ”€โ”€ db-password        SecureString (KMS encrypted)
โ”‚   โ”‚   โ”œโ”€โ”€ db-port            String
โ”‚   โ”‚   โ”œโ”€โ”€ feature-flags      StringList
โ”‚   โ”‚   โ””โ”€โ”€ api-key            SecureString
โ”‚   โ””โ”€โ”€ shared/
โ”‚       โ”œโ”€โ”€ cors-origins       StringList
โ”‚       โ””โ”€โ”€ jwt-secret         SecureString
โ”œโ”€โ”€ staging/
โ”‚   โ””โ”€โ”€ myapp/
โ”‚       โ”œโ”€โ”€ db-url             String
โ”‚       โ””โ”€โ”€ db-password        SecureString
โ””โ”€โ”€ dev/
    โ””โ”€โ”€ myapp/
        โ”œโ”€โ”€ db-url             String
        โ””โ”€โ”€ db-password        SecureString

Benefits of Hierarchyโ€‹

  • GetParametersByPath โ€” load all config for an environment in one call
  • IAM scoping โ€” restrict access by path prefix
  • Environment isolation โ€” same parameter names, different paths
// IAM policy: Allow dev team access only to /dev/ parameters
{
  "Effect": "Allow",
  "Action": ["ssm:GetParameter*"],
  "Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/dev/*"
}

Java SDK Integrationโ€‹

Lambda โ€” Load Config at Init Timeโ€‹

public class OrderHandler implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> {
    
    private static final SsmClient SSM = SsmClient.create();
    private static final Map<String, String> CONFIG;
    
    // Load ALL config at init time (runs once per cold start)
    static {
        GetParametersByPathResponse response = SSM.getParametersByPath(
            GetParametersByPathRequest.builder()
                .path("/prod/myapp/")
                .withDecryption(true)
                .recursive(true)
                .build());
        
        CONFIG = response.parameters().stream()
            .collect(Collectors.toMap(
                p -> p.name().substring(p.name().lastIndexOf('/') + 1),  // Extract param name
                Parameter::value));
    }
    
    public APIGatewayProxyResponseEvent handleRequest(APIGatewayProxyRequestEvent event, Context context) {
        String dbUrl = CONFIG.get("db-url");
        String apiKey = CONFIG.get("api-key");
        // Use cached config โ€” no SSM calls on warm invocations
    }
}

ECS Task Definitionโ€‹

{
  "containerDefinitions": [{
    "name": "myapp",
    "secrets": [
      {
        "name": "DB_PASSWORD",
        "valueFrom": "arn:aws:ssm:us-east-1:123:parameter/prod/myapp/db-password"
      },
      {
        "name": "API_KEY",
        "valueFrom": "arn:aws:ssm:us-east-1:123:parameter/prod/myapp/api-key"
      }
    ]
  }]
}

CloudFormation Integrationโ€‹

# Method 1: Parameter section (String/StringList only, NOT SecureString)
Parameters:
  DbUrl:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /prod/myapp/db-url

# Method 2: Dynamic references (works with ALL types including SecureString)
Resources:
  MyRdsInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      Engine: mysql
      # String parameter
      DBName: "{{resolve:ssm:/prod/myapp/db-name}}"
      # SecureString parameter (MUST use ssm-secure)
      MasterUserPassword: "{{resolve:ssm-secure:/prod/myapp/db-password:1}}"
      # Secrets Manager
      # MasterUserPassword: "{{resolve:secretsmanager:prod/db-secret:SecretString:password}}"

Parameter Policies (Advanced Tier)โ€‹

// Expiration: Delete parameter after date
{
  "Type": "Expiration",
  "Version": "1.0",
  "Attributes": { "Timestamp": "2025-12-31T00:00:00.000Z" }
}

// Notification before expiration
{
  "Type": "ExpirationNotification",
  "Version": "1.0",
  "Attributes": { "Before": "15", "Unit": "Days" }
}

// Alert if not updated for N days
{
  "Type": "NoChangeNotification",
  "Version": "1.0",
  "Attributes": { "After": "90", "Unit": "Days" }
}

SecureString & KMSโ€‹

Reading a SecureString requires TWO permissions:

{
  "Effect": "Allow",
  "Action": [
    "ssm:GetParameter",       // Permission to read the parameter
    "kms:Decrypt"             // Permission to decrypt with the KMS key
  ],
  "Resource": [
    "arn:aws:ssm:us-east-1:123:parameter/prod/myapp/*",
    "arn:aws:kms:us-east-1:123:key/my-key-id"
  ]
}

Parameter Store vs Environment Variablesโ€‹

FeatureSSM Parameter StoreLambda Env Variables
Max size4-8 KB per param4 KB total
EncryptionKMS (SecureString)KMS (optional)
Centralizedโœ… Shared across functionsโŒ Per-function
Versioningโœ…โŒ
Hierarchyโœ…โŒ
Dynamic updatesโœ… (next cold start)โŒ (redeploy required)
CostFree (Standard)Free

๐ŸŽฏ DVA-C02 Exam Tipsโ€‹

SSM Parameter Store Exam Cheat Sheet
  1. Free for Standard tier (up to 10,000 parameters)
  2. SecureString needs BOTH ssm:GetParameter AND kms:Decrypt permissions
  3. CloudFormation SecureString = MUST use {{resolve:ssm-secure:...}}
  4. GetParametersByPath = load all config under a path prefix in one call
  5. No auto-rotation โ€” use custom Lambda or Secrets Manager instead
  6. Advanced tier = parameter policies (expiration, notification)
  7. ECS secrets can reference SSM parameters directly
  8. Hierarchy enables IAM path-based access control

๐Ÿงช Practice Questionsโ€‹

Q1. CloudFormation template needs SecureString from SSM. How?

A) AWS::SSM::Parameter::Value<SecureString>
B) {{resolve:ssm-secure:/path/to/param}}
C) Direct string in template
D) Custom resource

โœ… Answer & Explanation

B โ€” SecureString in CloudFormation requires dynamic references with ssm-secure. The Parameters section doesn't support SecureString type.

Q2. App needs auto-rotating DB password. Which service?

A) Secrets Manager
B) SSM Parameter Store
C) KMS
D) IAM

โœ… Answer & Explanation

A โ€” Secrets Manager has native auto-rotation for RDS. SSM Parameter Store has no built-in rotation.

Q3. Lambda reads SecureString but gets AccessDeniedException. Role has ssm:GetParameter. What's missing?

A) ssm:DescribeParameters
B) kms:Decrypt on the KMS key
C) ssm:GetParameters
D) VPC endpoint

โœ… Answer & Explanation

B โ€” SecureString is encrypted with KMS. The role needs both ssm:GetParameter AND kms:Decrypt.

๐Ÿ”— Resourcesโ€‹