Restricting access to Systems Manager parameters using IAM policies - AWS Systems Manager

Restricting access to Systems Manager parameters using IAM policies

You restrict access to AWS Systems Manager parameters by using AWS Identity and Access Management (IAM). More specifically, you create IAM policies that restrict access to the following API operations:

When using IAM policies to restrict access to Systems Manager parameters, we recommend that you create and use restrictive IAM policies. For example, the following policy allows a user to call the DescribeParameters and GetParameters API operations for a limited set of resources. This means that the user can get information about and use all parameters that begin with prod-*.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter/prod-*" } ] }
Important

If a user has access to a path, then the user can access all levels of that path. For example, if a user has permission to access path /a, then the user can also access /a/b. Even if a user has explicitly been denied access in IAM for parameter /a/b, they can still call the GetParametersByPath API operation recursively for /a and view /a/b.

For trusted administrators, you can provide access to all Systems Manager parameter API operations by using a policy similar to the following example. This policy gives the user full access to all production parameters that begin with dbserver-prod-*.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ssm:PutParameter", "ssm:DeleteParameter", "ssm:GetParameterHistory", "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter", "ssm:DeleteParameters" ], "Resource": "arn:aws:ssm:region:account-id:parameter/dbserver-prod-*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ssm:DescribeParameters", "Resource": "*" } ] }

Deny permissions

Each API is unique and has distinct operations and permissions that you can allow or deny individually. An explicit deny in any policy overrides the allow.

Note

The default AWS Key Management Service (AWS KMS) key has Decrypt permission for all IAM principals within the AWS account. If you want to have different access levels to SecureString parameters in your account, we don't recommend that you use the default key.

If you want all API operations retrieving parameter values to have the same behavior, then you can use a pattern like GetParameter* in a policy. The following example shows how to deny GetParameter, GetParameters, GetParameterHistory, and GetParametersByPath for all parameters beginning with prod-*.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ssm:GetParameter*" ], "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter/prod-*" } ] }

The following example shows how to deny some commands while allowing the user to perform other commands on all parameters that begin with prod-*.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ssm:PutParameter", "ssm:DeleteParameter", "ssm:DeleteParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParameterHistory", "ssm:DescribeParameters" ], "Resource": "arn:aws:ssm:region:account-id:parameter/prod-*" } ] }
Note

The parameter history includes all parameter versions, including the current one. Therefore, if a user is denied permission for GetParameter, GetParameters, and GetParameterByPath but is allowed permission for GetParameterHistory, they can see the current parameter, including SecureString parameters, using GetParameterHistory.

Allowing only specific parameters to run on nodes

You can control access so that managed nodes can run only parameters that you specify.

If you choose the SecureString parameter type when you create your parameter, Systems Manager uses AWS KMS to encrypt the parameter value. AWS KMS encrypts the value by using either an AWS managed key or a customer managed key. For more information about AWS KMS and AWS KMS key, see the AWS Key Management Service Developer Guide.

You can view the AWS managed key by running the following command from the AWS CLI.

aws kms describe-key --key-id alias/aws/ssm

The following example allows nodes to get a parameter value only for parameters that begin with prod-. If the parameter is a SecureString parameter, then the node decrypts the string using AWS KMS.

Note

Instance policies, like in the following example, are assigned to the instance role in IAM. For more information about configuring access to Systems Manager features, including how to assign policies to users and instances, see Setting up AWS Systems Manager for EC2 instances.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:GetParameters" ], "Resource":[ "arn:aws:ssm:region:account-id:parameter/prod-*" ] }, { "Effect":"Allow", "Action":[ "kms:Decrypt" ], "Resource":[ "arn:aws:kms:region:account-id:key/KMSkey" ] } ] }

IAM permissions for using AWS default keys and customer managed keys

Parameter Store SecureString parameters are encrypted and decrypted using AWS KMS keys. You can choose to encrypt your SecureString parameters using either a AWS KMS key or the default KMS key provided by AWS.

When using a customer managed key, the IAM policy that grants a user access to a parameter or parameter path must provide explicit kms:Encrypt permissions for the key. For example, the following policy allows a user to create, update, and view SecureString parameters that begin with prod- in the specified AWS Region and AWS account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter", "ssm:GetParameter", "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:us-east-2:111122223333:parameter/prod-*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-12345EXAMPLE" ] } ] }

1The kms:GenerateDataKey permission is required for creating encrypted advanced parameters using the specified customer managed key.

By contrast, all users within the customer account have access to the default AWS managed key. If you use this default key to encrypt SecureString parameters and don't want users to work with SecureString parameters, their IAM policies must explicitly deny access to the default key, as demonstrated in the following policy example.

Note

You can locate the Amazon Resource Name (ARN) of the default key in the AWS KMS console on the AWS managed keys page. The default key is the one identified with aws/ssm in the Alias column.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:us-east-2:111122223333:key/abcd1234-ab12-cd34-ef56-abcdeEXAMPLE" ] } ] }

If you require fine-grained access control over the SecureString parameters in your account, you should use a customer managed key to protect and restrict access to these parameters. We also recommend using AWS CloudTrail to monitor SecureString parameter activities.

For more information, see the following topics: