IAM Policy for SSM Parameter Store Read Access
Create an IAM policy for reading parameters from AWS Systems Manager Parameter Store. Scoped to a specific path hierarchy for least privilege.
Detailed Explanation
SSM Parameter Store Read Policy
AWS Systems Manager Parameter Store is a popular alternative to Secrets Manager for storing configuration values, feature flags, and non-sensitive secrets. This policy grants read access to parameters under a specific path prefix.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSMParameterRead",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/myapp/*"
},
{
"Sid": "AllowDescribeParameters",
"Effect": "Allow",
"Action": "ssm:DescribeParameters",
"Resource": "*"
}
]
}
Hierarchical Paths
Parameter Store supports path hierarchies like /myapp/production/database/host. The GetParametersByPath action retrieves all parameters under a path prefix, making it efficient to load all configuration at startup.
SecureString Parameters
If parameters are of type SecureString (encrypted with KMS), you also need kms:Decrypt on the KMS key used for encryption. Parameters encrypted with the default aws/ssm key do not require explicit KMS permissions.
Parameter Store vs. Secrets Manager
| Feature | Parameter Store | Secrets Manager |
|---|---|---|
| Cost | Free (standard tier) | $0.40/secret/month |
| Rotation | Manual | Automatic |
| Size limit | 8 KB (advanced: 8 KB) | 64 KB |
| Cross-account | Via resource policies | Via resource policies |
| Best for | Config values, flags | Passwords, API keys |
Use Case
Applications loading configuration at startup, feature flag systems, environment-specific settings management, and non-secret configuration values that don't need the automatic rotation capabilities of Secrets Manager.