Skip to main content

SSM Parameter Store

Quick summary: Free, hierarchical config/secret store. No auto-rotation. Use for configuration and lower-sensitivity secrets.

See also: Secrets Manager vs SSM Parameter Store for a detailed comparison.

Parameter Tiers

TierMax SizeAdvanced FeaturesCost
Standard4 KBNoFree
Advanced8 KBParameter policies, change notifications$0.05/month

Parameter Policies (Advanced Tier)

// Notify before expiration
[{
  "Type": "Expiration",
  "Version": "1.0",
  "Attributes": { "Timestamp": "2025-12-31T00:00:00.000Z" }
}, {
  "Type": "ExpirationNotification",
  "Version": "1.0",
  "Attributes": {
    "Before": "15",
    "Unit": "Days"
  }
}]

CloudFormation Integration

# Reference SSM parameter directly in CloudFormation
Parameters:
  DbPassword:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /prod/myapp/db-password

# Or using dynamic references (no Parameter section needed)
Resources:
  MyRdsInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      MasterUserPassword: "{{resolve:ssm-secure:/prod/myapp/db-password:1}}"
      #                                    ^^^                            ^
      #                              SecureString                   version

Dynamic Reference Types

TypeSyntaxUse
SSM{{resolve:ssm:/param/name}}String / StringList
SSM-Secure{{resolve:ssm-secure:/param/name}}SecureString
Secrets Manager{{resolve:secretsmanager:secret-id:SecretString:key}}Secrets

Lambda Integration

// At Lambda init time (runs once per cold start)
private static final String DB_URL;
static {
    SsmClient ssm = SsmClient.create();
    DB_URL = ssm.getParameter(GetParameterRequest.builder()
        .name("/prod/myapp/db-url")
        .withDecryption(true)
        .build()).parameter().value();
}

// Handler uses DB_URL — no SSM call on warm invocations
public String handleRequest(Object event, Context context) {
    // use DB_URL
}

🔗 Resources