Intro:
Parameter Policies are the most powerful features
of AWS
Systems Manager Parameter Store (SSM PS) for Advanced Parameter Tier.
Break down:
- The Concept: Parameter Policies,
- Supported Policy Types,
- Expiration Policy,
- ExpirationNotification Policy,
- NoChangeNotification Policy,
- Combining Multiple Policies,
- Best Practices for Parameter Policies,
- How to Apply Policies (Methods),
- twtech sample for Full CloudFormation Resource with Multiple Policies,
- Quick Summary Table.
- Project: Hands-On
The Concept: Parameter
Policies
A Parameter
Policy is a JSON document twtech attaches to an Advanced SSM Parameter to control its lifecycle and behavior automatically —
without writing Lambda or manual cleanup
scripts.
These policies let twtech:
- Set
expiration or rotation schedules,
- Get
notified if a parameter hasn’t changed,
- Trigger
automated cleanup or alerting workflows.
NB:
Each parameter can have one or more policies attached to the Policies
property in CloudFormation or via the CLI (--policies flag).
Supported Policy Types
|
Policy Type |
Description |
Typical Use |
|
Expiration |
Automatically expires (and optionally deletes) a parameter
after a set time or timestamp. |
Temporary credentials, short-lived
API keys |
|
ExpirationNotification |
Sends an SNS event before the
parameter expires. |
Alert DevOps/SecOps to rotate
soon-to-expire secrets |
|
NoChangeNotification |
Sends an SNS event if a parameter
hasn’t been updated within a given timeframe. |
Enforce secret rotation or detect
stale config |
1, Expiration Policy
Purpose:
Automatically mark (and optionally delete) a
parameter after a given time.
# twtech sample JSON
[
{
"Type": "Expiration",
"Version": "1.0",
"Attributes": {
"Timestamp":
"2025-12-31T00:00:00Z"
}
}
]
NB:
- "Timestamp"
must be in ISO8601 UTC format.
- When the timestamp is reached, the parameter becomes expired,
visible in the console, and can optionally be cleaned up by automation (e.g., AWS Config rule or Lambda).
CloudFormation Example
# twtechCloudFormationfile.yaml
ApiTokenParam:
Type: AWS::SSM::Parameter
Properties:
Name: /prod/api/twtechtoken
Type: SecureString
Tier: Advanced
KeyId: alias/twtech-kms-key
Value: "twtech-temporary-token"
Policies: !Sub |
[
{
"Type": "Expiration",
"Version": "1.0",
"Attributes": {
"Timestamp":
"${ExpirationTimestamp}"
}
}
]
2, ExpirationNotification
Policy
Purpose:
Notify via Amazon SNS before a parameter expires. Common for pre-rotation
warnings.
# twtech sample JSON
[
{
"Type": "ExpirationNotification",
"Version": "1.0",
"Attributes": {
"Before": "15D",
"NotificationArn":
"arn:aws:sns:us-east-2:accountID:NotifySecretsRotation"
}
}
]
NB:
- "Before":
How long before expiration would send the notification.
(Supports units: H = hours, D = days) - "NotificationArn":
ARN of an SNS topic.
CloudFormation Example
# twtechCloudFormationfile.yaml
ApiKeyParam:
Type: AWS::SSM::Parameter
Properties:
Name: /prod/api/twtechkey
Type: SecureString
Tier: Advanced
KeyId: alias/twtech-kms-key
Value: "twtech-super-secret-api-key"
Policies: !Sub |
[
{
"Type": "ExpirationNotification",
"Version": "1.0",
"Attributes": {
"Before": "7D",
"NotificationArn":
"arn:aws:sns:${AWS::Region}:${AWS::AccountId}:ParameterAlerts"
}
}
]
NB:
When the parameter
is 7 days away from expiration, an SNS notification is sent — twtech can
trigger an email, Lambda, or ticket automation.
3, NoChangeNotification
Policy
Purpose:
Detects stale parameters that haven’t changed for a defined period and
sends a notification.
# twtech sample JSON
[
{
"Type": "NoChangeNotification",
"Version": "1.0",
"Attributes": {
"After": "30D",
"NotificationArn":
"arn:aws:sns:us-east-2:accountID:NotifyRotation"
}
}
]
NB:
- "After": Duration
since the last parameter update.
- "NotificationArn": SNS
topic ARN for alerts.
Use Case
Great for ensuring
compliance with rotation policies (e.g., “all API keys must
rotate every 90 days”).
Combining Multiple
Policies
twtech can attach multiple policies in a single JSON array:
# json
[
{
"Type": "Expiration",
"Version": "1.0",
"Attributes": {
"Timestamp": "2025-12-31T00:00:00Z" }
},
{
"Type": "ExpirationNotification",
"Version": "1.0",
"Attributes": {
"Before": "7D",
"NotificationArn":
"arn:aws:sns:us-east-2:accountID:ParamExpiryAlert"
}
},
{
"Type": "NoChangeNotification",
"Version": "1.0",
"Attributes": {
"After": "60D",
"NotificationArn": "arn:aws:sns:us-east-2:accountID:RotationReminders"
}
}
]
NB: explanation of the above Parameter Policies.
✅
Expire on Dec 31
✅ Notify 7
days before expiration
✅ Notify if
unchanged for 60 days
Best Practices for
Parameter Policies
|
Goal |
Recommendation |
|
Automated cleanup |
Use Expiration for temp creds or tokens |
|
Secret rotation
enforcement |
Combine NoChangeNotification
+ rotation Lambda |
|
Alert before expiry |
Always pair Expiration with ExpirationNotification |
|
Compliance tracking |
Send notifications to a central
SNS topic (monitored
by SecOps) |
|
Cross-account alerts |
Use an SNS topic in a centralized
logging/alerting account |
How to Apply Policies (Methods)
|
Method |
How to Attach |
|
AWS CLI |
aws ssm put-parameter --policies '[...]' |
|
CloudFormation |
Policies:
property (stringified JSON array) |
|
AWS Console |
Under “Advanced settings” →
“Policies” |
|
SDK (Python, boto3) |
put_parameter(Policies='[...]') |
twtech sample of Full CloudFormation Resource with Multiple Policies
Resources:
AdvancedParamWithPolicies:
Type: AWS::SSM::Parameter
Properties:
Name: /prod/app/twtechsecretKey
Type: SecureString
Tier: Advanced
KeyId: alias/twtech-secure-key
Value: "twtechsecret-value"
Policies: !Sub |
[
{
"Type": "Expiration",
"Version":
"1.0",
"Attributes": {
"Timestamp": "${ExpirationTimestamp}" }
},
{
"Type": "ExpirationNotification",
"Version":
"1.0",
"Attributes": {
"Before": "7D",
"NotificationArn":
"arn:aws:sns:${AWS::Region}:${AWS::accountId}:ParameterExpiryTopic"
}
},
{
"Type": "NoChangeNotification",
"Version":
"1.0",
"Attributes": {
"After": "30D",
"NotificationArn":
"arn:aws:sns:${AWS::Region}:${AWS::accountId}:ParameterRotationTopic"
}
}
]
twtech Quick Summary Table
|
Policy Type |
Attribute(s) |
Triggers |
Use Case |
|
Expiration |
Timestamp |
When time reached |
Auto-expire temp parameters |
|
ExpirationNotification |
Before, NotificationArn |
X days/hours before expiration |
Pre-expiry alert |
|
NoChangeNotification |
After, NotificationArn |
X days since last change |
Detect stale secrets/configs |
Search for for aws
service: Parameter
Store
How it works
Features and benefits
NB:
Parameter Store is a Tool under aws system manager:
How twtech creates a
parameter:
Create parameter: Parameter details
Assing an name: /twtechapp/dev/db-url
Create Parameter: /twtechapp/dev/db-url
How twtech accesses details
of a parameter. Select the parameter and click open: /twtechapp/dev/db-url
How twtech addes more
parameter: /twtechapp/dev/db-url
From exiting parameter (/twtechapp/dev/db-url) twtech
need to access the:
Parameter Store
Copy
the exact name of the existing parameter to create another parameter within.
/twtechapp/dev/db-url
Type: SecureString
Seclect the parameter created (/twtechapp/dev/db-password) click open to see the Details:
How to check the decrypted
value for the secured parameter: From
To:
How twtech creates parameters for Prod environment: /twtechapp/prod/db-url
Create Prod Parameter: /twtechapp/prod/db-url
How
twtech creates a password for Prod Parameter:
Create parameter: /twtechapp/prod/db-password
How twtech accesses the
parameter using CLI from any terminal.
- Terminatl must be configured
with
aws CLI to make API calls.
- For the purpose of this
Project,
We’re using the Cloudshell terminal (intergrated terminal on the browser which is already configured)
Here’s twtech comprehensive list of AWS Systems Manager Parameter Store (SSM PS) CLI commands, grouped by purpose — with examples for each. These commands use the AWS CLI (aws ssm ...).
1. List Parameters
List all parameters or filter by name/path:
aws ssm
describe-parameters
List parameters under a specific hierarchy (e.g.,
/prod):
aws ssm
describe-parameters --parameter-filters
"Key=Name,Option=BeginsWith,Values=/prod/"
2, Get Parameter(s)
Get a single parameter:
aws ssm
get-parameter --name "/prod/db/password"
Get with decryption (for
SecureString):
aws ssm
get-parameter --name "/prod/db/password" --with-decryption
Get multiple parameters:
aws ssm
get-parameters --names "/prod/db/user" "/prod/db/password"
--with-decryption
Get all parameters by path (recursively):
aws ssm
get-parameters-by-path --path /prod/ --recursive --with-decryption
3. Put (Create/Update) Parameter
Create a simple String parameter:
aws ssm
put-parameter \
--name "/prod/api/url" \
--type "String" \
--value "https://api.example.com"
Create or overwrite (update
existing):
aws ssm
put-parameter \
--name "/prod/api/url" \
--type "String" \
--value "https://new.example.com" \
--overwrite
Create a SecureString parameter (encrypted with KMS):
aws ssm
put-parameter \
--name "/prod/db/password" \
--type "SecureString" \
--key-id "alias/my-kms-key" \
--value "SuperSecret123"
4. Delete Parameters
Delete a single parameter:
aws ssm
delete-parameter --name "/prod/api/url"
Delete multiple parameters:
aws ssm delete-parameters --names "/prod/db/user" "/prod/db/password"
5. Parameter Versions
& History
List versions:
aws ssm get-parameter-history --name "/prod/db/password"
6. Tagging Parameters
Add tags:
aws ssm
add-tags-to-resource \
--resource-type "Parameter" \
--resource-id "/prod/db/password" \
--tags "Key=Environment,Value=prod"
"Key=Team,Value=DevOps"
List tags:
aws ssm
list-tags-for-resource \
--resource-type "Parameter" \
--resource-id "/prod/db/password"
Remove tags:
aws ssm
remove-tags-from-resource \
--resource-type "Parameter" \
--resource-id "/prod/db/password" \
--tag-keys "Environment" "Team"
7. Advanced Parameters
Advanced parameters support features like expiration, policies, and larger size (up to 8 KB).
Create an Advanced parameter with a policy (e.g., expiration):
aws ssm
put-parameter \
--name "/prod/token" \
--type "String" \
--value "temporary-token" \
--tier "Advanced" \
--policies '[{"Type":"Expiration","Version":"1.0","Attributes":{"Timestamp":"2025-10-30T00:00:00Z"}}]'
8. Miscellaneous /
Helpful
Check parameter tier (Standard
vs Advanced):
aws ssm
describe-parameters --query "Parameters[*].{Name:Name,Tier:Tier}"
Count parameters:
aws ssm
get-service-setting --setting-id
"arn:aws:ssm:us-east-2::service-setting/ssm/parameter-store/default-parameter-tier"
Change default parameter tier:
aws ssm
update-service-setting \
--setting-id
"arn:aws:ssm:us-east-2::service-setting/ssm/parameter-store/default-parameter-tier"
\
--setting-value "Advanced"
CLI
Demo for aws system manager Paramater Store (SSM PS) :
aws ssm get-parameters --names /twtechapp/dev/db-password /twtechapp/dev/db-url
How twtech decrypts a
secured parameter value with a flag: --with-decryption
aws ssm get-parameters --names /twtechapp/dev/db-password /twtechapp/dev/db-url –with-decryption
How twtech gets parameter by
paths: /twtechapp/prod/db-password
aws ssm
get-parameters-by-path --path /twtechapp/prod/
--with-decryption
Or:
How twtech gets parameter by
paths with flag --recoursive: /twtechapp/prod/db-password
aws ssm get-parameters-by-path --path /twtechapp/prod/ --recursive --with-decryption
How twtech gets parameter by
paths with flag --recoursive: /twtechapp/prod/db-password
aws ssm get-parameters-by-path --path /twtechapp --recursive --with-decryption
NB:
To exit the bash shell on CloudShell
press : Ctrl +
C
No comments:
Post a Comment