Tuesday, October 21, 2025

Standard SSM PS Herarchy vs Advanced Parameter Tiers | Overview.

Standard AWS Systems Manager Parameter Store (SSM PS) Herarchy  vs Advanced Parameter Tiers - Overview.

Scope:

  • Intro,
  • Hierarchy in AWS Systems Manager Parameter Store (SSM PS),
  • Comparison Table of  Standard Parameter Tier Advanced Parameter Tier,
  • Key Advanced-Only Capabilities,
  • Standard Parameter Tier is Used for,
  • Key Characteristics Standard Parameter Tier (deep dive),
  • Sample deployment command for Standard Parameter (AWS CLI),
  • Advanced Parameter Tier is Used for,
  • Sample Parameter Policies (Advanced only) that let twtech control parameter behavior automatically,
  • How to Attach Sample Parameter Policies (Advanced only) that let twtech control parameter behavior automatically (AWS CLI),
  • Sample policy for Cross-Account Scenarios,
  • Best Practices,
  • Monitoring & Automation (what twtech monitors parameter usage with),
  • Keys Takeaway,
  • Insights.

Intro:

    • AWS Systems Manager Parameter Store (SSM PS) provides hierarchical storage for configuration data and secrets, with two distinct tiers that offer different capabilities and cost structures.
Hierarchy in SSM PS
    • Both Standard and Advanced tiers support a hierarchical structure using a tree-like naming convention (e.g., /prod/db/password). 
    • This allows you to:
      • Organize parameters logically by environment, application, or resource.
      • Apply granular access control using IAM policies that target specific paths.
      • Retrieve all parameters under a specific path with a single API call (e.g., GetParametersByPath).
Comparison Table of  Standard Parameter Tier & Advanced Parameter Tier
FeatureStandard TierAdvanced Tier
Max Parameters10,000 per account per region100,000 per account per region
Max Size per Parameter4 KB8 KB
Pricing (Storage)No additional charge$0.05 per parameter per month
Pricing (API)Free for standard throughput$0.05 per 10,000 API interactions
Parameter PoliciesNot supportedSupported (Expiration, TTL, etc.)
Cross-Account SharingNot supportedSupported via AWS RAM
Key Advanced-Only Capabilities
    • Parameter Policies: Allows twtech to set expiration dates, time-to-live (TTL), and no-change notifications via Amazon EventBridge.
    • Cross-Account Sharing: Advanced parameters can be shared with other AWS accounts or organizations using AWS Resource Access Manager (RAM), creating a single source of truth.
    • Intelligent-Tiering: A service setting that automatically selects the tier based on the requested capabilities (size, policies) or when standard limits are exceeded.

NB:

    • twtech can upgrade a parameter from Standard to Advanced at any time.
    • However, twtech cannot downgrade an Advanced parameter back to Standard.
      • Solution: twtech must delete the existing Advanced parameter and recreate it as standard.
    • AWS SSM Parameter Store lets twtech to securely store configuration data and secrets as parameters (key–value pairs).

Every parameter belongs to one of two tiers:

    • Standard
    • Advanced

The tier twech chooses affects:

    • Parameter limits (size, number, history)
    • Available features (policies, expiration, cross-account use)
    • Cost

 1. Standard Parameter Tier is Used for:

    • Small-scale configurations
    • Most common app configs
    • Non-sensitive, 
    • Low-change parameters

 Key Characteristics Standard Parameter Tier (deep dive)

Feature

Standard Tier

Max parameter size

4 KB

Max versions per parameter

1 (old versions overwritten)

Max total parameters per account/region

10,000

Policies (TTL, expiration, etc.)

❌ Not supported

Parameter references in templates (CloudFormation, CodeBuild, etc.)

✅ Supported

KMS encryption

✅ Supported

Cross-account access

⚠️ Limited (only through IAM role assumption, not direct access policies)

Cost

✅ Free

 Sample deployment command for Standard Parameter (AWS CLI)

# bash

aws ssm put-parameter \

  --name "/dev/app/db/twtechSuperpassword" \

  --value "twtech-password" \

  --type "SecureString" \

  --tier "Standard" \

  --key-id "alias/twtechkmskey"

 2. Advanced Parameter Tier is Used for:

    • Large parameters (up to 8 KB)
    • Secrets rotation or lifecycle management
    • Complex automation (e.g., temporary overrides)
    • Long-lived or high-churn parameters
    • Cross-account or multi-region architectures

 Key Characteristics

Feature

Advanced Tier

Max parameter size

8 KB

Max versions per parameter

100

Max total parameters per account/region

100,000

Policies (TTL, expiration, no-change, etc.)

✅ Supported

Expiration notifications

✅ Supported

Cross-account access with resource policies

✅ Supported

KMS encryption

✅ Supported

Cost

💲 Charged per parameter stored and API interaction beyond free tier

 Sample Parameter Policies (Advanced only) that let twtech control parameter behavior automatically:

    • Expiration – delete after a time period
    • ExpirationNotification – send an SNS event before deletion
    • NoChangeNotification – alert if a parameter hasn’t changed for X days

# json

{

  "Type": "Expiration",

  "Version": "1.0",

  "Attributes": {

    "Timestamp": "2027-12-31T00:00:00Z"

  }

}

How to Attach Sample Parameter Policies (Advanced only) that let twtech control parameter behavior automatically (AWS CLI)

# bash

aws ssm put-parameter \

  --name "/prod/app/api/twtechkmskey" \

  --value "twtechvalue-abcd1234" \

  --type "SecureString" \

  --tier "Advanced" \

  --policies '[{"Type":"Expiration","Version":"1.0","Attributes":{"Timestamp":"2026-12-31T00:00:00Z"}}]'

 3. Pricing and Cost Controls

Feature

Standard

Advanced

Parameter storage

Free

~$0.05 per parameter per month

API interactions (GetParameter, etc.)

Free

Free up to 10,000 API interactions per month, then ~$0.005 per 10,000 requests

Policies / Notifications

N/A

May incur SNS costs if used

 Tip:

    •  twtech can upgrade a parameter from Standard Advanced
    •   But downgrade is not allowed.

 4. Cross-Account Scenarios

  • Advanced parameters support resource policies, allowing direct access from other AWS accounts without assuming roles.

Sample policy for Cross-Account Scenarios:

# json

{

  "Version": "2012-10-17",

  "Statement": [{

    "Effect": "Allow",

    "Principal": {"AWS": "arn:aws:iam::accountID:root"},

    "Action": "ssm:GetParameter",

    "Resource": "arn:aws:ssm:us-east-2:accountID:parameter/prod/api/twtechkmskey"

  }]

}

NB:

  •  twtech may Combine with KMS key grants to securely decrypt across accounts.

 5. Best Practices

Use Case

Recommendation

Small configs (<4 KB, infrequent changes)

Standard

Secrets or large JSON configs

Advanced + SecureString

Multi-account environments (dev/qa/prod)

Advanced with policies + KMS grants

Automation or rotation (Lambda, CI/CD)

Advanced with expiration or change policies

Performance-sensitive lookups

Use parameter caching via AWS SDK

 6. Monitoring & Automation (what twtech monitors parameter usage with):

    • CloudWatch metrics (GetParameter, PutParameter API calls)
    • CloudTrail (audit who accessed what)
    • Config Rules to enforce encryption or tier
    • SSM Parameter Policies to ensure rotation

Keys Takeaway

Feature

Standard

Advanced

Size limit

4 KB

8 KB

Versions

1

100

Count limit

10,000

100,000

Policies (TTL, expiration)

Cross-account access

Cost

Free

~$0.05/parameter/mo

Downgrade allowed

twtech-Insights:

twtech sample production-ready CloudFormation snippet for:

    • Creating both Standard and Advanced SSM Parameters
    • Using SecureString with KMS encryption
    • Applying an expiration policy (Advanced-only)
    • Using intrinsic functions (!Sub, !Ref, etc.) for environment awareness

NB:

  • This example works in multi-account/multi-environment setups.
  •  twtech can drop it into a shared or per-account CloudFormation stack (e.g., /dev, /qa, /prod) of the same account.
 CloudFormation Snippet for Standard + Advanced Parameters

# twtech-SSMCloudFormationstack.yaml

AWSTemplateFormatVersion: "2010-09-09"

Description: >

  twtech Sample stack that creates Standard and Advanced SSM Parameters

  with SecureString encryption and an expiration policy (Advanced only).

Parameters:

  Environment:

    Type: String

    Default: dev

    AllowedValues: [dev, qa, prod]

    Description: twtech Deployment environment (used in parameter path)

  KmsKeyId:

    Type: String

    Description: ARN or alias of the KMS key for SecureString encryption

Resources:

  # ============================

  # 1, Standard Parameter Example

  # ============================

  AppConfigParam:

    Type: AWS::SSM::Parameter

    Properties:

      Name: !Sub "/${Environment}/app/twtechconfig"

      Description: "twtech Standard parameter for app configuration"

      Type: String

      Tier: Standard

      Value: '{"LOG_LEVEL":"INFO","MAX_CONNECTIONS":10}'

      Tags:

        Environment: !Ref Environment

        Tier: Standard

  # ============================

  # 2,  SecureString (Standard)

  # ============================

  DbPasswordParam:

    Type: AWS::SSM::Parameter

    Properties:

      Name: !Sub "/${Environment}/db/twtechSuperpassword"

      Description: "twtech Database Superpassword (SecureString - Standard tier)"

      Type: SecureString

      Tier: Standard

      KeyId: !Ref KmsKeyId

      Value: "twtechSuperpassword@123abc"

      Tags:

        Environment: !Ref Environment

        Secret: "true"

  # ============================

  # 3,  Advanced Parameter (with Expiration Policy)

  # ============================

  ApiKeyParam:

    Type: AWS::SSM::Parameter

    Properties:

      Name: !Sub "/${Environment}/api/twtechkmskey-123-abc"

      Description: "twtch API key with expiration policy (Advanced tier)"

      Type: SecureString

      Tier: Advanced

      KeyId: !Ref KmsKeyId

      Value: "twtech-super-secret-api-key"

      Policies: !Sub |

        [

          {

            "Type": "Expiration",

            "Version": "1.0",

            "Attributes": {

              "Timestamp": "${ExpirationTimestamp}"

            }

          }

        ]

      Tags:

        Environment: !Ref Environment

        Tier: Advanced

        Policy: Expiration

Parameters:

  ExpirationTimestamp:

    Type: String

    Default: "2026-12-31T00:00:00Z"

    Description: ISO8601 timestamp for parameter expiration

# expected Outputs:

  StandardConfigParamName:

    Description: twtech Name of the standard config parameter

    Value: !Ref AppConfigParam

  DbPasswordParamName:

    Description: twtech Name of the SecureString standard parameter

    Value: !Ref DbPasswordParam

  AdvancedApiKeyParamName:

    Description: twtech Name of the advanced SecureString parameter

    Value: !Ref ApiKeyParam

How twtech twtech-SSMCloudFormationstack.yaml Works

    • AppConfigParam simple JSON config, Standard tier, no encryption.
    • DbPasswordParam SecureString + KMS key encryption, still Standard tier.
    • ApiKeyParam SecureString + Advanced tier + expiration policy — will automatically expire on the specified timestamp.

Notes for Real Use

    • twtech can change KmsKeyId to use a cross-account KMS key ARN if parameters are shared between environments.
    • Expiration timestamp must be in ISO 8601 format (YYYY-MM-DDTHH:MM:SSZ).
    • twtech can add additional policies (like "NoChangeNotification") in the same Policies JSON array.
    • Advanced parameters incur cost
      •  so, twtech uses Advanced parameters intentionally (ONLY) for:
        • secrets, 
        • rotations, 
        • cross-account access.




at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...