AWS Parameter Policies for Advanced Tier | Overview & Hands-On.

AWS Parameter Policies for Advanced Tier - Overview & Hands-On.

Focus:

• Intro,
• The Concept of Parameter Policies,
• what the policies let twtech do,
• Sample JSON Expiration Policy,
• CloudFormation Sample deployment template,
• ExpirationNotification Policy (pre-rotation warnings),
• CloudFormation Sample Paramater Policies stack,
• NoChangeNotification Policy (haven’t changed),
• Combining Multiple Policies in a single JSON array & Explanation,
• Best Practices for Parameter Policies,
• Sample CloudFormation Stack with Multiple Policies,
• Quick Summary Table,
• Project: Hands-On.

Intro:

• Advanced parameter tier in AWS Systems Manager Parameter Store supports three specific parameter policies for managing lifecycle and security: 
• Expiration: Deletes a parameter at a specified date and time. 
• Note that updating the parameter value does not reset the expiration timestamp.
• ExpirationNotification: Triggers an Amazon EventBridge event a specified number of days or hours before or after a parameter expires.
• NoChangeNotification: Triggers an EventBridge event if a parameter has not been modified for a specified period of time, which is useful for enforcing secret rotation. 

NB:

• These policies are exclusive to the Advanced Tier and cannot be applied to standard tier parameters. 
• When configuring these policies, they must be formatted as a JSON string containing the:
• Type, 
• Version, 
• Attributes.

 The Concept of Parameter Policies (deep dive)

• A Parameter Policy is a JSON document twtech attaches to an Advanced SSM Parameter to control its lifecycle and behavior automatically 
• This happens automatically without writing Lambda or manual cleanup scripts.

what the policies let twtech do:

• Set expiration or rotation schedules,
• Get notified if a parameter hasn’t changed,
• Trigger automated cleanup or alerting workflows.

NB:

• Each parameter can have one or more policies attached to the Policies property in CloudFormation or via the CLI (--policies flag).

 Supported Policy Types

Policy Type	Description	Typical Use
Expiration	Automatically expires (and optionally deletes) a parameter after a set time or timestamp.	Temporary credentials, short-lived API keys
ExpirationNotification	Sends an SNS event before the parameter expires.	Alert DevOps/SecOps to rotate soon-to-expire secrets
NoChangeNotification	Sends an SNS event if a parameter hasn’t been updated within a given timeframe.	Enforce secret rotation or detect stale config

 1, Sample JSON Expiration Policy & Purpose:

•  Automatically mark (and optionally delete) a parameter after a given time.

# twtech sample JSON

[

  {

    "Type": "Expiration",

    "Version": "1.0",

    "Attributes": {

      "Timestamp": "2026-12-31T00:00:00Z"

    }

  }

]

NB:

• "Timestamp" must be in ISO8601 UTC format.
• When the timestamp is reached, the parameter becomes:
•  expired, 
•  visible in the console, 
• can optionally be cleaned up by automation (e.g., AWS Config rule or Lambda).

CloudFormation Sample deployment template

# twtechCloudFormationParameterPolicies.yaml

ApiTokenParam:

  Type: AWS::SSM::Parameter

  Properties:

    Name: /prod/api/twtechtoken

    Type: SecureString

    Tier: Advanced

    KeyId: alias/twtech-kms-key

    Value: "twtech-temporary-token"

    Policies: !Sub |

      [

        {

          "Type": "Expiration",

          "Version": "1.0",

          "Attributes": {

            "Timestamp": "${ExpirationTimestamp}"

          }

        }

      ]

 2, ExpirationNotification Policy & (pre-rotation warnings):

• This Notifies via Amazon SNS before a parameter expires. 
• Common for pre-rotation warnings.

# twtech sample JSON

[

  {

    "Type": "ExpirationNotification",

    "Version": "1.0",

    "Attributes": {

      "Before": "15D",

      "NotificationArn": "arn:aws:sns:us-east-2:accountID:NotifySecretsRotation"

    }

  }

] 

NB:

•  How long before expiration would send the notification.
  
• (Supports units: H = hours, D = days)
• "NotificationArn": ARN of an SNS topic.

CloudFormation Sample Paramater Policies stack

# twtechCloudFormationParamaterPolicies.yaml

ApiKeyParam:

  Type: AWS::SSM::Parameter

  Properties:

    Name: /prod/api/twtechkey

    Type: SecureString

    Tier: Advanced

    KeyId: alias/twtech-kms-key

    Value: "twtech-super-secret-api-key"

    Policies: !Sub |

      [

        {

          "Type": "ExpirationNotification",

          "Version": "1.0",

          "Attributes": {

            "Before": "7D",

            "NotificationArn": "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:ParameterAlerts"

          }

        }

      ]

NB:

•  When the parameter is 7 days away from expiration, an SNS notification is sent 
•  twtech can trigger an email, Lambda, or ticket automation.

 3, NoChangeNotification Policy (haven’t changed):

• Detects stale parameters that haven’t changed for a defined period and sends a notification.

# twtech sample JSON

[

  {

    "Type": "NoChangeNotification",

    "Version": "1.0",

    "Attributes": {

      "After": "30D",

      "NotificationArn": "arn:aws:sns:us-east-2:accountID:NotifyRotation"

    }

  }

]

NB:

• "After": Duration since the last parameter update.
• "NotificationArn": SNS topic ARN for alerts.

Use Case

• Great for ensuring compliance with rotation policies (e.g., “all API keys must rotate every 90 days”).

 Combining Multiple Policies in a single JSON array & Explanation:

# json

[

  {

    "Type": "Expiration",

    "Version": "1.0",

    "Attributes": { "Timestamp": "2026-12-31T00:00:00Z" }

  },

  {

    "Type": "ExpirationNotification",

    "Version": "1.0",

    "Attributes": {

      "Before": "7D",

      "NotificationArn": "arn:aws:sns:us-east-2:accountID:ParamExpiryAlert"

    }

  },

  {

    "Type": "NoChangeNotification",

    "Version": "1.0",

    "Attributes": {

      "After": "60D",

      "NotificationArn": "arn:aws:sns:us-east-2:accountID:RotationReminders"

    }

  }

]

NB: 

explanation of the above Parameter Policies.

✅   Expire on Dec 31

✅   Notify 7 days before expiration
✅   Notify if unchanged for 60 days

✅   Notify if unchanged for 60 days

 Best Practices for Parameter Policies

Goal	Recommendation
Automated cleanup	Use Expiration for temp creds or tokens
Secret rotation enforcement	Combine NoChangeNotification + rotation Lambda
Alert before expiry	Always pair Expiration with ExpirationNotification
Compliance tracking	Send notifications to a central SNS topic (monitored by SecOps)
Cross-account alerts	Use an SNS topic in a centralized logging/alerting account

 How to Apply Policies (Methods)

Method	How to Attach
AWS CLI	aws ssm put-parameter --policies '[...]'
CloudFormation	Policies: property (stringified JSON array)
AWS Console	Under “Advanced settings” → “Policies”
SDK (Python, boto3)	put_parameter(Policies='[...]')

twtech Sample CloudFormation Stack with Multiple Policies

Resources:

  AdvancedParamWithPolicies:

    Type: AWS::SSM::Parameter

    Properties:

      Name: /prod/app/twtechsecretKey

      Type: SecureString

      Tier: Advanced

      KeyId: alias/twtech-secure-key

      Value: "twtechsecret-value"

      Policies: !Sub |

        [

          {

            "Type": "Expiration",

            "Version": "1.0",

            "Attributes": { "Timestamp": "${ExpirationTimestamp}" }

          },

          {

            "Type": "ExpirationNotification",

            "Version": "1.0",

            "Attributes": {

              "Before": "7D",

              "NotificationArn": "arn:aws:sns:${AWS::Region}:${AWS::accountId}:ParameterExpiryTopic"

            }

          },

          {

            "Type": "NoChangeNotification",

            "Version": "1.0",

            "Attributes": {

              "After": "30D",

              "NotificationArn": "arn:aws:sns:${AWS::Region}:${AWS::accountId}:ParameterRotationTopic"

            }

          }

        ]

 twtech Quick Summary Table

Policy Type	Attribute(s)	Triggers	Use Case
Expiration	Timestamp	When time reached	Auto-expire temp parameters
ExpirationNotification	Before, NotificationArn	X days/hours before expiration	Pre-expiry alert
NoChangeNotification	After, NotificationArn	X days since last change	Detect stale secrets/configs

Project: Hands-On

• How twtech uses aws System Manager Parameter Store (SSM PS) Tier to securely keep Scretes and Configurations within its environment.

Search for for aws service:  Parameter Store 

How it works

Features and benefits

NB:

Parameter Store is a Tool under aws system manager:

How twtech creates a parameter:

Create parameter: Parameter details

Assing an name: /twtechapp/dev/db-url

Create Parameter: /twtechapp/dev/db-url

How twtech accesses details of a parameter. 

• Select the parameter and click open: /twtechapp/dev/db-url

How twtech addes more parameter: /twtechapp/dev/db-url

• From exiting parameter (/twtechapp/dev/db-url) 

NB:

• twtech need to access the: Parameter Store

• Copy the exact name of the existing parameter to create another parameter within. /twtechapp/dev/db-url

• Type: SecureString

• Seclect the parameter created (/twtechapp/dev/db-password) 
• click open to see the Details:

• How twtech checks the decrypted value for the secured parameter:  

From

To:

• How twtech creates parameters for Prod environment: /twtechapp/prod/db-url

• Create Prod Parameter: /twtechapp/prod/db-url

• How twtech creates a password for Prod Parameter:

• Create parameter: /twtechapp/prod/db-password

How twtech accesses the parameter using CLI from any terminal.

• Terminal must be configured with aws CLI to make API calls.
• For the purpose of this Project, We’re using the Cloudshell terminal (intergrated terminal on the browser which is already configured)

• twtech comprehensive list of AWS Systems Manager  Parameter Store (SSM PS) CLI commands.
•  Grouped by purpose 
• These commands use the AWS CLI  (aws ssm ...).

 1. List Parameters

# List all parameters or filter by name/path:

aws ssm describe-parameters

# List parameters under a specific hierarchy (e.g., /prod):

aws ssm describe-parameters --parameter-filters "Key=Name,Option=BeginsWith,Values=/prod/"

 2, Get Parameter(s)

# Get a single parameter:

aws ssm get-parameter --name "/prod/db/password"

# Get with decryption (for SecureString):

aws ssm get-parameter --name "/prod/db/password" --with-decryption

# Get multiple parameters:

aws ssm get-parameters --names "/prod/db/user" "/prod/db/password" --with-decryption

# Get all parameters by path (recursively):

aws ssm get-parameters-by-path --path /prod/ --recursive --with-decryption

 3. Put (Create/Update) Parameter

# Create a simple String parameter:

aws ssm put-parameter \

  --name "/prod/api/url" \

  --type "String" \

  --value "https://api.twtechapp.com"

# Create or overwrite (update existing):

aws ssm put-parameter \

  --name "/prod/api/url" \

  --type "String" \

  --value "https://new.twtechapp.com" \

  --overwrite

# Create a SecureString parameter (encrypted with KMS):

aws ssm put-parameter \

  --name "/prod/db/password" \

  --type "SecureString" \

  --key-id "alias/my-kms-key" \

  --value "twtechSuperSecret@123"

 4. Delete Parameters

# Delete a single parameter:

aws ssm delete-parameter --name "/prod/api/url"

# Delete multiple parameters:

aws ssm delete-parameters --names "/prod/db/user" "/prod/db/password"

 5. Parameter Versions & History

# List versions:

aws ssm get-parameter-history --name "/prod/db/password"

 6. Tagging Parameters

# Add tags:

aws ssm add-tags-to-resource \

  --resource-type "Parameter" \

  --resource-id "/prod/db/password" \

  --tags "Key=Environment,Value=prod" "Key=twtechTeam,Value=DevOps"

# List tags:

aws ssm list-tags-for-resource \

  --resource-type "Parameter" \

  --resource-id "/prod/db/password"

# Remove tags:

aws ssm remove-tags-from-resource \

  --resource-type "Parameter" \

  --resource-id "/prod/db/password" \

  --tag-keys "Environment" "twtechTeam"

 7. Advanced Parameters

• Advanced parameters support features like expiration, policies, and larger size (up to 8 KB).

# Create an Advanced parameter with a policy (e.g., expiration):

aws ssm put-parameter \

  --name "/prod/token" \

  --type "String" \

  --value "twtech-temporary-token" \

  --tier "Advanced" \

  --policies '[{"Type":"Expiration","Version":"1.0","Attributes":{"Timestamp":"2026-10-30T00:00:00Z"}}]'

 8. Miscellaneous / Helpful

# Check parameter tier (Standard vs Advanced):

aws ssm describe-parameters --query "Parameters[*].{Name:Name,Tier:Tier}"

# Count parameters:

aws ssm get-service-setting --setting-id "arn:aws:ssm:us-east-2::service-setting/ssm/parameter-store/default-parameter-tier"

# Change default parameter tier:

aws ssm update-service-setting \

  --setting-id "arn:aws:ssm:us-east-2::service-setting/ssm/parameter-store/default-parameter-tier" \

  --setting-value "Advanced"

CLI Hands-On (Project) for aws system manager Paramater Store (SSM PS) :

aws ssm get-parameters --names /twtechapp/dev/db-password /twtechapp/dev/db-url

How twtech decrypts a secured parameter value with a flag: --with-decryption

aws ssm get-parameters --names /twtechapp/dev/db-password /twtechapp/dev/db-url –with-decryption

How twtech gets parameter by paths: /twtechapp/prod/db-password

aws ssm get-parameters-by-path --path /twtechapp/prod/  --with-decryption

Or:

• How twtech gets parameter by paths with flag --recoursive & --decryption: /twtechapp/prod/db-password

aws ssm get-parameters-by-path --path /twtechapp/prod/  --recursive --with-decryption

• How twtech gets parameter by paths with flag --recoursive: /twtechapp/prod/db-password

aws ssm get-parameters-by-path --path /twtechapp  --recursive --with-decryption

NB:

• To exit the bash shell on CloudShell press : Ctrl + C