AWS Systems Manager Parameter Store (SSM PS) with focus on Security, Centralized Configuration & Secrets Management | Overview.
Focus:
- Intro,
- Core Features,
- Tiers and Limits,
- Parameter Store vs. Secrets Manager,
- Architecture,
- concept (Deep Dive)
- Common Use Cases,
- Table for Parameter Types,
- Table for Parameter Tiers,
- Security Architecture for SSM Parameter Store with shared responsibility,
- Layers of
- Access Control (IAM Policies & Conditions with scope access),
- Sample IAM policy with read-only access for Dev parameters,
- Encrypting with KMS (SecureString parameters) via AWS CLI,
- SSM PS Integration with other AWS Services,
- Sample KMS Policy for Cross-Account (allowing Lambda in another account to decrypt a parameter)
- Versioning, Auditing, & Change Management (auto),
- Table for SSM PS Integration with other AWS Services,
- Automation Patterns & Advanced Use Cases,
- Best Practices
- Anti-Patterns (Wrong Practices),
- Sample End-to-End Setup Creation of a Secure Parameter with AWS CLI,
- Sample End-to-End Setup Creation of a Secure Parameter with Python.
Intro:
- AWS Systems Manager Parameter Store (SSM PS) is a serverless, hierarchical storage service for managing configuration data and secrets.
- SSM PS centralizes the storage of values like:
- database strings,
- API keys,
- Amazon Machine Image (AMI) IDs,
- This allows twtech to separate configuration from code.
- Data Types: Supports three types:
String,StringList,SecureString(encrypted via AWS KMS).- Hierarchical Structure: Organizes parameters using tree-like paths (e.g.,
/prod/db/password), which simplifies management across different environments. - Versioning: Automatically tracks changes and maintains a history of parameter values.
- This allows twtech to view or rollback to previous versions.
- Integration: SSM PS Seamlessly works with services like:
- Amazon EC2,
- AWS Lambda,
- Amazon ECS,
- AWS CloudFormation.
| Feature | Standard Tier | Advanced Tier |
|---|---|---|
| Cost (Storage) | Free | $0.05 per parameter/month |
| Max Parameters | 10,000 per Region | 100,000 per Region |
| Max Size | 4 KB | 8 KB |
| Parameter Policies | Not supported | Supported (e.g., Expiration, TTL) |
- API Throughput: Standard throughput is free (up to 40 requests per second).
- Higher throughput (up to 10,000 TPS) costs $0.05 per 10,000 API calls.
- While both store sensitive data
- AWS Secrets Manager is specialized for secrets that require automatic rotation and cross-account access.
- Rotation: Secrets Manager offers native, automated rotation for services like:
- Amazon RDS;
- Parameter Store requires custom Lambda scripts for rotation.
- Cross-Account: Secrets Manager supports resource-based policies for easier cross-account sharing; Parameter Store primarily uses identity-based IAM policies.
- Pricing: Parameter Store is often more cost-effective for general configuration, as Secrets Manager charges $0.40 per secret monthly.
Architecture
1. concept (deep dive)
- AWS Systems Manager Parameter Store (SSM PS) is a managed service for storing configuration data and secrets as key-value pairs.
- AWS Systems Manager Parameter Store (SSM PS) provides:
- Centralized management of environment variables, connection strings, API keys, and other runtime config.
- Secure, auditable, versioned storage.
- Integration with AWS services like EC2, Lambda, ECS, and CodePipeline.
Common
Use Cases
- App configuration: Environment-specific variables (e.g. db.host, api.url, log.level).
- Secrets management: Encrypted credentials (e.g. database passwords, API tokens).
- Infrastructure automation: Parameters shared across CloudFormation, Terraform, or CI/CD pipelines.
- Cross-account configuration sharing (with KMS key policies).
2. Table for Parameter Types
|
Type |
Description |
Max
Size |
Encryption |
|
String |
Plaintext data (non-sensitive). |
4 KB |
None |
|
StringList |
Comma-separated list of values. |
4 KB |
None |
|
SecureString |
Sensitive data encrypted via AWS
KMS. |
8 KB |
Yes (KMS) |
Table for Parameter
Tiers
|
Tier |
Max
Parameters |
Max
Size |
Throughput |
Features |
|
|
Standard |
10,000 |
4 KB |
40 TPS |
Free tier |
|
|
Advanced |
100,000+ |
8 KB |
1000 TPS |
Higher throughput, policies,
expiration |
|
3. Security Architecture for SSM Parameter Store with shared responsibility:
- AWS secures the infrastructure (encryption, HA, access logs).
- twtech needs to define encryption keys, IAM policies, and access boundaries.
Layers of
- Encryption at Rest – via KMS Customer Managed Keys (CMKs).
- Encryption in Transit – HTTPS and SigV4 signing.
- Granular IAM policies – control read/write access at parameter or path level.
- Auditability – parameter changes logged to AWS CloudTrail.
4. Access Control (IAM Policies & Conditions with scope access):
- Parameter path (hierarchical
access)
- Parameter name
- Tag-based access
- Condition keys (e.g. ssm:ResourceTag/Environment or ssm:ParameterName)
Sample IAM policy with read-only access for Dev
parameters
# json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "twtechReadDevParameters",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:us-east-2:accountID:parameter/dev/*"
}
]
}
5. Encrypting with KMS (SecureString parameters) via AWS CLI:
- AWS-managed key (aws/ssm), integrated or
- Customer-managed CMK (recommended for cross-account and auditing).
# bash
aws ssm put-parameter --name "/prod/db/password" --value "twtechSuperSecret123" --type "SecureString" --key-id "arn:aws:kms:us-east-2:accountID:key/twtechkmskey-abcd-efgh"
Sample KMS Policy for Cross-Account (allowing Lambda in another account to decrypt a parameter):
# json
{
"Sid": "twtechAllowCrossAccountDecrypt",
"Effect": "Allow",
"Principal": {"AWS":
"arn:aws:iam::accountID:role/twtechRemoteLambdaRole"},
"Action":
["kms:Decrypt"],
"Resource": "*"
}
6. Versioning, Auditing, & Change Management (auto)
- twtech can reference specific versions (e.g. name:1).
- Old versions are retained for rollback.
- Parameter changes are logged in CloudTrail.
Sample rollback command:
aws ssm get-parameter --name "/app/config/db" --version 3
7. Table for SSM PS Integration with other AWS Services
|
Service |
Integration
Sample |
|
EC2 / ECS / Lambda |
Fetch configs securely at runtime. |
|
CloudFormation |
Use
{{resolve:ssm-secure:/path/to/param}}. |
|
CodePipeline /
CodeBuild |
Inject environment variables
dynamically. |
|
Secrets Manager |
twtech can reference SSM parameters
inside Secrets. |
|
AWS SDKs / CLI |
Universal access across languages
and scripts. |
8. Automation
Patterns & Advanced Use Cases
1.
Hierarchical Naming Convention
Sample:
/{env}/{service}/{component}/{key}
e.g.
/prod/web/api/endpoint
or
/dev/db/twtechUserPat
2. Parameter Policies (Advanced tier allows)
- Expiration – auto-deletes expired parameters.
- Notification – CloudWatch Events before expiration.
- No-change alerting – detect stale configs.
3.
Cross-Account Replication
- Use AWS Lambda or EventBridge to replicate parameters across environments (Dev → QA → Prod).
- Encrypt each with the target account’s KMS key.
4.
Automation with SSM Documents
- Automate runtime configuration injection (e.g., at EC2 launch).
9. Best Practices
- Use SecureString for all secrets (not String).
- Use customer-managed KMS keys for isolation & rotation.
- Tag parameters with metadata (Environment, Application, Owner).
- Enable CloudTrail for all Parameter Store activities.
- Rotate secrets periodically.
- Enforce least privilege IAM (e.g., path-level access).
Anti-Patterns (Wrong Practices)
- Storing large files (>8 KB)
- Solution: use S3 + signed URLs instead.
- Hardcoding secrets in Lambda or EC2 user data.
- Reusing the same KMS key for all environments.
- Using aws/ssm default key for production secrets.
Sample End-to-End Setup Creation of a Secure Parameter with AWS CLI
# bash
aws ssm put-parameter \
--name "/prod/db/password" \
--type "SecureString" \
--value "twtechProdStrongP@123" \
--key-id "alias/prod-kms" \
--tags Key=Environment,Value=Prod
Sample End-to-End Setup Creation of a Secure Parameter with Python
# python
import boto3
import os
ssm = boto3.client('ssm')
def handler(event, context):
param = ssm.get_parameter(
Name='/prod/db/password',
WithDecryption=True
)
db_password = param['Parameter']['Value']
print("Retrieved password for DB connection")
No comments:
Post a Comment