Tuesday, October 21, 2025

AWS Systems Manager Parameter Store (SSM PS) Herarchy - Standard vs Advanced Parameter Tiers | Deep Dive.

Intro:

·       This is an important concept when twtech is designing AWS Systems Manager (SSM) Parameter Store hierarchies (especially for multi-account or multi-environment setups) with focous on Standard vs Advanced Parameter Tiers.

 Break down:

  •       Overview,
  •       Standard Parameter Tier,
  •       Advanced Parameter Tier,
  •       Pricing and Cost Controls,
  •       Cross-Account Scenarios,
  •       Best Practices,
  •       Monitoring & Automation,
  •       Keys Takeaway,
  •       twtech-insights.

Overview

AWS SSM Parameter Store lets twtech to securely store configuration data and secrets as parameters (key–value pairs).

Every parameter belongs to one of two tiers:

  • Standard
  • Advanced

The tier you choose affects:

  • Parameter limits (size, number, history)
  • Available features (policies, expiration, cross-account use)
  • Cost

 1. Standard Parameter Tier

Use for:

  • Small-scale configurations
  • Most common app configs
  • Non-sensitive, low-change parameters

 Key Characteristics

Feature

Standard Tier

Max parameter size

4 KB

Max versions per parameter

1 (old versions overwritten)

Max total parameters per account/region

10,000

Policies (TTL, expiration, etc.)

❌ Not supported

Parameter references in templates (CloudFormation, CodeBuild, etc.)

✅ Supported

KMS encryption

✅ Supported

Cross-account access

⚠️ Limited (only through IAM role assumption, not direct access policies)

Cost

✅ Free

 Example of Standard Parameter

# bash

aws ssm put-parameter \

  --name "/dev/app/db/twtechSuperpassword" \

  --value "twtech-password" \

  --type "SecureString" \

  --tier "Standard" \

  --key-id "alias/twtechkmskey"

 2. Advanced Parameter Tier

Use for:

  • Large parameters (up to 8 KB)
  • Secrets rotation or lifecycle management
  • Complex automation (e.g., temporary overrides)
  • Long-lived or high-churn parameters
  • Cross-account or multi-region architectures

 Key Characteristics

Feature

Advanced Tier

Max parameter size

8 KB

Max versions per parameter

100

Max total parameters per account/region

100,000

Policies (TTL, expiration, no-change, etc.)

✅ Supported

Expiration notifications

✅ Supported

Cross-account access with resource policies

✅ Supported

KMS encryption

✅ Supported

Cost

💲 Charged per parameter stored and API interaction beyond free tier

 Parameter Policies (Advanced only)

Parameter policies let you control parameter behavior automatically:

  • Expiration – delete after a time period
  • ExpirationNotification – send an SNS event before deletion
  • NoChangeNotification – alert if a parameter hasn’t changed for X days

Example:

# json

{

  "Type": "Expiration",

  "Version": "1.0",

  "Attributes": {

    "Timestamp": "2025-12-31T00:00:00Z"

  }

}

Attach it like this:

# bash

aws ssm put-parameter \

  --name "/prod/app/api/twtechkmskey" \

  --value "twtechvalue-abcd1234" \

  --type "SecureString" \

  --tier "Advanced" \

  --policies '[{"Type":"Expiration","Version":"1.0","Attributes":{"Timestamp":"2025-12-31T00:00:00Z"}}]'

 3. Pricing and Cost Controls

Feature

Standard

Advanced

Parameter storage

Free

~$0.05 per parameter per month

API interactions (GetParameter, etc.)

Free

Free up to 10,000 API interactions per month, then ~$0.005 per 10,000 requests

Policies / Notifications

N/A

May incur SNS costs if used

 Tip:

 twtech can upgrade a parameter from Standard Advanced, but downgrade is not allowed.

 4. Cross-Account Scenarios

Advanced parameters support resource policies, allowing direct access from other AWS accounts without assuming roles.

Example policy:

# json

{

  "Version": "2012-10-17",

  "Statement": [{

    "Effect": "Allow",

    "Principal": {"AWS": "arn:aws:iam::accountID:root"},

    "Action": "ssm:GetParameter",

    "Resource": "arn:aws:ssm:us-east-2:accountID:parameter/prod/api/twtechkmskey"

  }]

}

NB:

 twtech may Combine with KMS key grants to securely decrypt across accounts.

 5. Best Practices

Use Case

Recommendation

Small configs (<4 KB, infrequent changes)

Standard

Secrets or large JSON configs

Advanced + SecureString

Multi-account environments (dev/qa/prod)

Advanced with policies + KMS grants

Automation or rotation (Lambda, CI/CD)

Advanced with expiration or change policies

Performance-sensitive lookups

Use parameter caching via AWS SDK

 6. Monitoring & Automation

twtech can monitor parameter usage with:

  • CloudWatch metrics (GetParameter, PutParameter API calls)
  • CloudTrail (audit who accessed what)
  • Config Rules to enforce encryption or tier
  • SSM Parameter Policies to ensure rotation

Keys Takeaway

Feature

Standard

Advanced

Size limit

4 KB

8 KB

Versions

1

100

Count limit

10,000

100,000

Policies (TTL, expiration)

Cross-account access

Cost

Free

~$0.05/parameter/mo

Downgrade allowed

twtech-insights:

twtech sample production-ready CloudFormation snippet for:

  •        Creating both Standard and Advanced SSM Parameters
  •        Using SecureString with KMS encryption
  •        Applying an expiration policy (Advanced-only)
  •        Using intrinsic functions (!Sub, !Ref, etc.) for environment awareness

NB:

This example works in multi-account/multi-environment setups — twtech can drop it into a shared or per-account CloudFormation stack (e.g., /dev, /qa, /prod) of the same account.

 CloudFormation Snippet — Standard + Advanced Parameters

# twtechSSMCloudFormationstack.yaml

AWSTemplateFormatVersion: "2010-09-09"

Description: >

  twtech Sample stack that creates Standard and Advanced SSM Parameters

  with SecureString encryption and an expiration policy (Advanced only).

Parameters:

  Environment:

    Type: String

    Default: dev

    AllowedValues: [dev, qa, prod]

    Description: twtech Deployment environment (used in parameter path)

  KmsKeyId:

    Type: String

    Description: ARN or alias of the KMS key for SecureString encryption

Resources:

  # ============================

  # 1, Standard Parameter Example

  # ============================

  AppConfigParam:

    Type: AWS::SSM::Parameter

    Properties:

      Name: !Sub "/${Environment}/app/twtechconfig"

      Description: "twtech Standard parameter for app configuration"

      Type: String

      Tier: Standard

      Value: '{"LOG_LEVEL":"INFO","MAX_CONNECTIONS":10}'

      Tags:

        Environment: !Ref Environment

        Tier: Standard

  # ============================

  # 2,  SecureString (Standard)

  # ============================

  DbPasswordParam:

    Type: AWS::SSM::Parameter

    Properties:

      Name: !Sub "/${Environment}/db/twtechSuperpassword"

      Description: "twtech Database Superpassword (SecureString - Standard tier)"

      Type: SecureString

      Tier: Standard

      KeyId: !Ref KmsKeyId

      Value: "twtechSuperpassword@123abc"

      Tags:

        Environment: !Ref Environment

        Secret: "true"

  # ============================

  # 3,  Advanced Parameter (with Expiration Policy)

  # ============================

  ApiKeyParam:

    Type: AWS::SSM::Parameter

    Properties:

      Name: !Sub "/${Environment}/api/twtechkmskey-123-abc"

      Description: "twtch API key with expiration policy (Advanced tier)"

      Type: SecureString

      Tier: Advanced

      KeyId: !Ref KmsKeyId

      Value: "twtech-super-secret-api-key"

      Policies: !Sub |

        [

          {

            "Type": "Expiration",

            "Version": "1.0",

            "Attributes": {

              "Timestamp": "${ExpirationTimestamp}"

            }

          }

        ]

      Tags:

        Environment: !Ref Environment

        Tier: Advanced

        Policy: Expiration

Parameters:

  ExpirationTimestamp:

    Type: String

    Default: "2025-12-31T00:00:00Z"

    Description: ISO8601 timestamp for parameter expiration

# expected Outputs:

  StandardConfigParamName:

    Description: twtech Name of the standard config parameter

    Value: !Ref AppConfigParam

  DbPasswordParamName:

    Description: twtech Name of the SecureString standard parameter

    Value: !Ref DbPasswordParam

  AdvancedApiKeyParamName:

    Description: twtech Name of the advanced SecureString parameter

    Value: !Ref ApiKeyParam

How twtechSSMCloudFormation stack.yaml Works

  • AppConfigParam → simple JSON config, Standard tier, no encryption.
  • DbPasswordParam → SecureString + KMS key encryption, still Standard tier.
  • ApiKeyParam → SecureString + Advanced tier + expiration policy — will automatically expire on the specified timestamp.

Notes for Real Use

  • twtech can change KmsKeyId to use a cross-account KMS key ARN if parameters are shared between environments.
  • Expiration timestamp must be in ISO 8601 format (YYYY-MM-DDTHH:MM:SSZ).
  • twtech can add additional policies (like "NoChangeNotification") in the same Policies JSON array.
  • Advanced parameters incur cost — so use them intentionally for secrets, rotations, or cross-account access.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...