Amazon EC2 Systems Manager
User Guide

Control Access to Systems Manager Parameters

We recommend the you restrict user access to Systems Manager parameters by creating restrictive AWS Identity and Access Management (IAM) user policies. For example, the following policy gives the user read-only permission (GetParameters and DescribeParameters) to all production parameters (parameters that begin with prod.*).

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": "arn:aws:ssm:us-east-1:123456123:parameter/prod.*" } ] }

If you want to provide a user with full access to all Systems Manager Parameter API operations, use a policy like the following example. This policy gives the user full access to all production parameters that begin with*.

{ "Version":"2012-10-17", "Effect":"Allow", "Action":[ "ssm:DescribeParameters", "ssm:PutParameter", "ssm:GetParameters", "ssm:DeleteParameter" ], "Resource":[ "arn:aws:ssm:region:account id:parameter/*" ] }

You can also delegate access so that instances can only run specific parameters. For secure strings, you have to provide KMS decrypt permissions so that secure string parameters can be decrypted by the instance. The following example enable instances to get a parameter value only for parameters that begin with "prod.". If the parameter is a secure string, then the instance decrypts the string using KMS.


If you choose the Secure String data type when you create your parameter, then AWS KMS encrypts the parameter value. For more information about AWS KMS, see AWS Key Management Service Developer Guide.

Each AWS account is assigned a default AWS KMS key. You can view your key by executing the following command from the AWS CLI:

aws kms describe-key --key-id alias/aws/ssm
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:GetParameters" ], "Resource":[ "arn:aws:ssm:region:account-id:parameter/prod.*" ] }, { "Effect":"Allow", "Action":[ "kms:Decrypt" ], "Resource":[ "arn:aws:kms:region:account-id:key/CMK" ] } ] }


Instance policies, like in the previous example, are assigned to the instance role in IAM. For more information about configuring access to Systems Manager features, including how to assign policies to users and instances, see Configuring Security Roles for Systems Manager.

Granting Access to Parameters Using Tags

You can assign tags enable tag-based permission authentication, so that customers can create IAM policy to give permission to access parameters with certain tag.

Step 1: customer adds tags by calling SSM add-tags-to-resource API

add-tags-to-resource --resource-type Parameter --resource-id <some_parameter_name> --tags Key=tagging_test_key,Value=tagging_test_value

Step 2: customer adds IAM policy to a user to only allow access to Resources with tag tagging_test_key:tagging_test_value as below

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:GetParameters" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tagging_test_key":[ "tagging_test_value" ] } } }, { "Effect":"Allow", "Action":[ "ssm:AddTagsToResource" ], "Resource":"*" } ] }

Step 3: from the user account with the policy above, call get-parameters from CLI:

It should return parameter details with <some_parameter_name> with the following command:

get-parameters --names <some_parameter_name>

It should return an error like "User: <current_user_ARN> is not authorized to perform: ssm:GetParameters on resource: <some_other_parameter_ARN>" with the following command. Note that partial authentication is not enabled, so if the request contains parameters without permitted tags, the whole request will be access denied.

get-parameters --names <some_other_parameter_name> <some_parameter_name>