Menu
Sign In to the Console
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Systems Manager Parameter Store

Storing and referencing configuration data such as passwords, license keys, key pairs, certificates, and lists of users can be a time-consuming and error-prone process, especially at scale. Storing and using password in a secure manner is equally challenging at scale. Parameter Store efficiently and securely centralizes the management of configuration data that you commonly reference in scripts, commands, or other automation and configuration workflows. Parameter Store lets you reference parameters (called Systems Manager parameters) across Systems Manager features, including Run Command, State Manager, and Automation. You can also reference Systems Manager parameters across AWS services, including AWS Lambda and AWS CloudFormation.

For parameters such as passwords or key pairs that should be encrypted, Parameter Store lets you encrypt data by using an AWS Key Management Service (AWS KMS) key. You can then delegate access to users who should be allowed to decrypt and view the sensitive data. You can also monitor and audit parameter usage in Amazon EC2 or AWS CloudTrail.

Information for Windows Users

See Systems Manager Parameter Store in the Amazon EC2 User Guide for Windows Instances.

Contents

Service Limits

Parameter Store currently has the following service limits:

ResourceLimit

Maximum number of parameters per account

100

Max size for parameter value

1024 characters

Max history for a parameter

100 past values

Also note the following limitations:

  • You can't use parameters across regions. You must reference Systems Manager parameters in the region where they were created.

  • The Amazon EC2 console currently doesn't support creating an encrypted parameter (Secure String) with a custom KMS key. The console creates a Secure String parameter that uses the default KMS key assigned to your AWS account. You can create a Secure String with a custom KMS key by using the AWS CLI or the AWS SDK.

Before you begin

Verify that your EC2 instances and on-premises servers or virtual machines meet Systems Manager prerequisites. For more information, see Systems Manager Prerequisites.

About Systems Manager parameters

An Systems Manager parameter is a key-value pair that you create by specifying the following information.

  • Name: (Required) Specify a name to identify your parameter. Be aware of the following requirements and restrictions for Systems Manager parameter names:

    • A parameter name must be unique within your AWS account.

    • Parameter names are case-sensitive.

    • A parameter name can't be prefixed with "aws" or "ssm" (case-insensitive). For example, awsTestParameter or SSM-testparameter will fail with an exception.

    • Parameter names can only include the following symbols and letters:

      a-zA-Z0-9_.-

  • Data Type: (Required) Specify a data type to define how the system uses a parameter. Parameter Store currently supports the following data types: String, String List, and Secure String.

  • Description (Optional): Type a description to help you identify your parameters and their intended use.

  • Value: (Required) Your parameter value.

  • Key ID (for Secure String): Either the default AWS KMS key automatically assigned to your AWS account or a custom key.

Note

You can use "." Or "_" to group similar parameters. For example, you could group parameters as follows: prod.db.string and prod.domain.password.

Using Systems Manager parameters

After you create a parameter, you can specify it in your SSM documents, commands, or scripts using the following syntax:

{{ssm:parameter_name}}

Note

The name of an Systems Manager parameter can't be prefixed with "ssm" or "aws", but when you specify the parameter in an SSM document or a command, the name must be prefixed with "ssm:". Valid: {{ssm:addUsers}}. Invalid: {{ssm:ssmAddUsers}}.

The following is an example of an AWS CLI Run Command command using an SSM Parameter.

aws ssm send-command --instance-ids i-1a2b3c4d5e6f7g8 --document-name AWS-RunPowerShellScript --parameter '{"commands":["echo {{ssm:addUsers}}"]}'

Note

The runtimeConfig section of SSM documents use similar syntax for local parameters. You can distinguish local parameters from Systems Manager parameters by the absence of the "ssm:" prefix.

 "runtimeConfig":{
        "aws:runShellScript":{
            "properties":[
                {
                    "id":"0.aws:runShellScript",
                    "runCommand":"{{ commands }}",
                    "workingDirectory":"{{ workingDirectory }}",
                    "timeoutSeconds":"{{ executionTimeout }}"

You can reference Systems Manager parameters in the Parameters section of an SSM document, as show in the following example.

{
   "schemaVersion":"2.0",
   "$schema":"http://amazonaws.com/schemas/ec2/v3-0/runcommand#",
   "description":"Sample version 2.0 document v2",
   "parameters":{
      "commands" : {
        "type": "StringList",
        "default": ["{{ssm:commands}}"]
      }
    },
    "mainSteps":[
       {
          "action":"aws:runShellScript",
          "name":"runShellScript",
          "inputs":{
             "commands": "{{commands}}"
          }
       }
    ]
}

Predefined SSM documents (all documents that begin with "AWS-") currently don't support Secure Strings or references to Secure String type parameters. This means that to use Secure String parameters with Run Command, you have to retrieve the parameter value before passing it to Run Command, as shown in the following example:

$value=aws ssm get-parameters --names secureparam --with-decryption
aws ssm send-command –name AWS-JoinDomain –parameters password=$value –instance-id instance_ID

About Secure String Parameters

A secure string is any sensitive data that needs to be stored and referenced in a secure manner. If you have data that you don't want users to alter or reference in clear text, such as domain join passwords or license keys, then specify those values using the Secure String data type. You should use secure strings when:

  • You want to use data/parameters across AWS services without exposing the values as clear text in commands, functions, agent logs, or AWS CloudTrail logs.

  • You want to control who has access to sensitive data.

  • You want to be able to audit when sensitive data is accessed (AWS CloudTrail).

  • You want AWS-level encryption for your sensitive data and you want to bring your own encryption keys to manage access.

If you choose the Secure String data type when you create your parameter, then Systems Manager encrypts the parameter value when it is passed into a command and decrypts it when processing it on the managed instance. Encryption ensures that you can pass sensitive data such as passwords or license keys into commands or scripts without exposing the values in the command, agent logs, or other services such as AWS CloudTrail.

Encryption is handled by AWS KMS. Each AWS account is assigned a default AWS KMS key. You can view your key by executing the following command from the AWS CLI:

aws kms describe-key --key-id alias/aws/ssm

If you create a Secure String parameter using your own KMS key, then you don't have to provide a value for the Key ID parameter. The following CLI example shows the command to create a new Secure String parameter in Parameter Store without the --key-id parameter: 

aws ssm put-parameter --name secure_string1_default_key --value "a_secure_string_value" --type SecureString

If you want to use a custom KMS key instead of the default key assinged to your account, then you must specify the ARN using the --key-id parameter, as shown in the following AWS CLI example:

aws ssm put-parameter --name secure_string1_custom_key --value "a_secure_string_value" --type SecureString --key-id arn:aws:kms:us-east-1:123456789012:key/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e
You can create a custom AWS KMS key from the AWS CLI by using the following command:
aws kms create-key

You can type an encrypted value for your parameter. In this case, because the string is already encrypted, you don’t have to choose the Secure String data type. If you do choose Secure String, your parameter will be doubly encrypted.

The Secure String data type is recognized by Systems Manager Run Command, which means you can define a parameter as a Secure String within the Parameters section of your Run Command SSM document. When you author your document, you set the type of the parameter to SecureString, as shown below. When returning the parameter values that were sent to a given command, the values for secure parameters will be an encrypted string. However, for existing AWS documents, not all parameters can be passed securely. 

{
    "schemaVersion":"1.2",
    "description":"Run a PowerShell script or specify the paths to scripts to run.",
    "parameters":{
        "DNS":{
            "type":"SecureString",
            "description":"(Required) Specify the license key to be set on the instance."
    },
    "runtimeConfig":{
        "aws:runPowerShellScript":{
            "properties":[
                {
                    "id":"0.aws:runPowerShellScript",
                    "runCommand":"set-dns {{ license_key }}"
                }
            ]
        }
    }
}

By default, all Secure String values are cipher text when displayed using the EC2 console and the AWS CLI. To decrypt a Secure String value, a user must have KMS decryption permissions, as described in the next section. For more information about AWS KMS, see AWS Key Management Service Developer Guide.