Ref: https://learn.cantrill.io/courses/1820301/lectures/41301602

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301603

• Summary
• Contents:

SSM Parameter Store - Key Concepts

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1100-ADVANCED_EC2/00_LEARNINGAIDS/SSMParameterStore.png

• 🔧 AWS Systems Manager (SSM) = operations hub for AWS applications and resources → manage systems at scale

  • 💡 Old name: Simple Systems Manager (hence “SSM”) →
  • 4 core feature groups: Operations Management, Application Management, Change Management & Node Management
  • SSM Parameter Store is a product within Application Management for storing parameters
    • Apps, EC2 instances or Lambda functions can request parameters from SSM Parameter Store. Parameters can be secured via IAM and KMS.

• Easy storage of parameters (key-value pairs)

  • Resilient, secure & scalable storage
  • Usually parameters for system/app configuration
    • Examples: license codes, DB strings (host names, ports…), full configs, passwords…
  • 3 different types:
    1. String
    2. StringList (comma-separated list of strings)
    3. SecureString (encrypted string)
  • 💡 SSM Parameter Store is a much more secure place to store configuration parameters than e.g. EC2 User Data (anyone with access to an EC2 instance can access User Data)

• Standard tier & Advanced tier

  SSM Parameter Store Tier	Number of parameters	Parameter value size	Parameter policies available?	Costs?
  Standard	Up to 10000	Up to 4kB	No	No* (Free)
  Advanced	No limit	Up to 8kB	Yes	Yes

  • *Unless you use faster throughput options

SSM Parameter Store - Characteristics

• Public service
  • Accessible from anywhere via AWS public space endpoints
  • Some parameters are Public Parameters created by AWS
    • e.g. latest AMIs per region
• Native integration with many AWS services (e.g. CFN, CLI tooling…)
• Supports versioning
• Supports hierarchies
  • Established when you use / in parameter names
  • Branches can be e.g. DBs (/wordpress/), apps (/my-cat-app/), functional divisions in your organization (/dev-team-passwords/)…
  • Parameter /wordpress/DBUser can be accessed by referencing full path/name, or by retrieving all parameters from /wordpress/ branch and then isolating DBUser
• Security integrated via IAM
  • Parameter accesses need to be authenticated & authorized
  • Flexible permissions: access can be granted to individual parameters or to branches
• Parameters can be stored in plaintext or ciphertext
  • Encryption via KMS → KMS permissions needed (separate from IAM permissions!)
  • Default AWS-managed key alias/aws/ssm grants access to all users in the current AWS account and region
  • Use CMK (Customer-Managed Key) to restrict parameter access inside account
• Supports events
  • Changes in parameters can trigger events