This chapter covers AWS Systems Manager Parameter Store, a secure, serverless service for storing and managing configuration data and secrets. For the DVA-C02 exam, Parameter Store is a key topic under Domain 2: Security, Objective 2.4: 'Manage secrets and configuration data using AWS services.' Approximately 5-8% of exam questions involve Parameter Store, often comparing it with AWS Secrets Manager or testing its integration with EC2, Lambda, and CloudFormation. You will need to understand parameter tiers, policies, encryption, versioning, and how to retrieve parameters from code and infrastructure.
Jump to a section
Imagine a large office building with a central mailroom. Each department has a numbered locker (parameter name) inside the mailroom. The mailroom manager (Parameter Store) controls access: only authorized employees (IAM principals) can open specific lockers based on their badge permissions (IAM policies). Employees can store envelopes (plaintext parameters) or sealed boxes (secure parameters encrypted with a master key from the security office (KMS)). The mailroom automatically sorts envelopes into three tiers: standard delivery (Standard tier) for daily memos, express delivery (Advanced tier) for urgent documents with higher priority, and a special vault (Hierarchy) for organizing lockers in a tree structure. Each locker has a label (name) and a description (description). When an employee retrieves an envelope, the mailroom logs the event (CloudTrail) and can notify the building security if someone tries to open a locked box without permission (CloudWatch Events). The mailroom also supports versioning: if an employee updates the contents, the old version is kept for 100 revisions for standard lockers and 100,000 for advanced lockers. This allows rollback to a previous version if needed. The mailroom is serverless and scales automatically to handle thousands of retrievals per second, ensuring minimal latency.
What is AWS Systems Manager Parameter Store?
AWS Systems Manager Parameter Store is a fully managed, serverless capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data and secrets. It allows you to store strings, lists of strings, or secure strings (encrypted with KMS) as parameters. You can reference these parameters from various AWS services (EC2, Lambda, CloudFormation, CodePipeline) and from your application code using the AWS SDK or CLI.
Why Parameter Store Exists
Before Parameter Store, developers often hard-coded configuration values (database URLs, API keys) in code or configuration files, leading to security risks and operational overhead when values changed. Parameter Store centralizes configuration, enables versioning, audit trails via CloudTrail, and fine-grained access control with IAM. It is designed for use cases where you need to store up to 10,000 parameters (Standard tier) or up to 100,000 parameters (Advanced tier) with higher throughput and larger parameter sizes.
How It Works Internally
When you create a parameter, you specify:
- Name: A unique, hierarchical name (e.g., /myapp/prod/db_url)
- Description: Optional text
- Type: String, StringList, or SecureString
- Value: The actual data (up to 4 KB for Standard, 8 KB for Advanced)
- Tier: Standard (free, 10,000 params, 40 API calls/sec) or Advanced (paid, 100,000 params, 100 API calls/sec, parameter policies)
- Data Type: text or aws:ec2:image (for AMI IDs)
For SecureString, you can specify a KMS key. If you use the default AWS managed key (aws/ssm), no additional cost. You can also use a customer managed key. The encryption happens at rest; in transit, all API calls use TLS.
Parameter Store stores parameters in a highly durable, replicated backend (multiple Availability Zones). When you retrieve a parameter, you specify the name and optionally a version. The service returns the value and metadata (ARN, version, last modified date). The service integrates with CloudTrail to log all API calls (GetParameter, PutParameter, DeleteParameter, etc.).
Key Components, Values, Defaults, and Timers
- Parameter Name: Max length 2048 characters. Must begin with a forward slash for hierarchy (/). Case-sensitive. Supports aws: prefix for AWS managed parameters (e.g., /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2).
- Parameter Value: Standard tier max 4 KB (4096 characters). Advanced tier max 8 KB (8192 characters). For larger values, use S3 and store the reference.
- Parameter Policies (Advanced tier only):
- Expiration: Sets a TTL (e.g., 30 days) after which the parameter is automatically deleted.
- ExpirationNotification: Sends events to CloudWatch Events before expiration (e.g., 15, 7, 1 days before).
- NoChangeNotification: Sends events if the parameter hasn't been modified for a specified time (e.g., 30 days).
- Throughput: Standard tier: 40 transactions per second per AWS account per region. Advanced tier: 100 transactions per second. You can request a throughput increase via Service Quotas.
- Versioning: Each update increments the version number. Standard tier retains up to 100 versions; Advanced tier retains up to 100,000 versions. You can retrieve a specific version or the latest.
- Labels: You can assign up to 10 labels per parameter (e.g., prod, latest). Labels are mutable and can be moved across versions.
- Hierarchy: Use slash-delimited names to create a tree structure. IAM policies can grant access to a subtree (e.g., /myapp/prod/*).
- CloudTrail: All Parameter Store API calls are logged. GetParameter calls are not logged by default (you must enable Data Events).
- CloudWatch Events: Parameter Store can emit events when parameters are created, updated, deleted, or when policy notifications trigger.
Configuration and Verification Commands
AWS CLI examples:
# Create a parameter (String)
aws ssm put-parameter --name "/myapp/dev/db_url" --value "jdbc:mysql://localhost:3306/mydb" --type String
# Create a SecureString parameter with default KMS key
aws ssm put-parameter --name "/myapp/prod/db_password" --value "MySecretPassword123" --type SecureString
# Create a parameter with Advanced tier and expiration policy
aws ssm put-parameter --name "/myapp/temp/token" --value "temporary" --type String --tier Advanced --policies "[{\"Type\":\"Expiration\",\"Version\":\"1.0\",\"Attributes\":{\"Timestamp\":\"2025-12-31T23:59:59Z\"}}]"
# Retrieve a parameter (latest version)
aws ssm get-parameter --name "/myapp/dev/db_url"
# Retrieve a parameter with decryption (for SecureString)
aws ssm get-parameter --name "/myapp/prod/db_password" --with-decryption
# Retrieve parameters by path (hierarchy)
aws ssm get-parameters-by-path --path "/myapp/prod" --recursive
# List parameters
aws ssm describe-parameters
# Delete a parameter
aws ssm delete-parameter --name "/myapp/dev/db_url"SDK Example (Python):
import boto3
ssm = boto3.client('ssm', region_name='us-east-1')
# Get a plaintext parameter
response = ssm.get_parameter(Name='/myapp/dev/db_url')
value = response['Parameter']['Value']
# Get a SecureString parameter (decrypt)
response = ssm.get_parameter(Name='/myapp/prod/db_password', WithDecryption=True)
secret = response['Parameter']['Value']
# Get parameters by path
response = ssm.get_parameters_by_path(Path='/myapp/prod', Recursive=True)
for param in response['Parameters']:
print(param['Name'], param['Value'])Interaction with Related Technologies
EC2: Use Systems Manager Agent (SSM Agent) to retrieve parameters on instance startup or during runtime. Attach an IAM instance profile with permission ssm:GetParameter.
Lambda: Use environment variables referencing Parameter Store (via the Lambda console or CloudFormation). Or retrieve directly in code using the AWS SDK.
CloudFormation: Use AWS::SSM::Parameter::Value dynamic references to retrieve parameter values at stack creation/update. Supported for String and StringList types (not SecureString). For SecureString, use AWS::SSM::SecureString in AWS::SecretsManager or use Lambda-backed custom resources.
CodePipeline/CodeBuild: Use parameter-store action to inject parameters as environment variables.
ECS/EKS: Use secrets and environmentFiles in task definitions to reference Parameter Store.
CloudTrail: Audit all parameter changes. Enable data events to log GetParameter calls.
CloudWatch Events/EventBridge: Automate responses to parameter changes (e.g., trigger a Lambda function to restart a service when a parameter updates).
Parameter Store vs Secrets Manager
While both services store secrets, Parameter Store is optimized for configuration data with lower cost (free tier for Standard) and simpler API. Secrets Manager is better for secrets that require automatic rotation, cross-region replication, and fine-grained access with resource-based policies. The exam often tests when to use each: use Parameter Store for non-sensitive config (DB URLs, feature flags) and for secrets with low rotation frequency; use Secrets Manager for database credentials, API keys that need rotation, or when you need to share secrets across accounts.
Security and IAM
Access to parameters is controlled by IAM policies. You can restrict access based on parameter path, name, type, and version. Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/myapp/prod/*"
}
]
}Use aws:SourceArn and aws:SourceAccount conditions to prevent cross-service confused deputy problems.
Cost
Standard tier: Free (up to 10,000 parameters, 40 API calls/sec). Advanced tier: $0.05 per parameter per month, plus $0.05 per 10,000 API calls (first 10,000 free per month). SecureString encryption with default KMS key is free; using a customer managed key incurs KMS costs.
Create a Parameter in Parameter Store
Use the AWS Management Console, CLI, or SDK to call `PutParameter`. Specify the name (e.g., `/myapp/dev/db_url`), type (`String`, `StringList`, `SecureString`), value, and optionally tier, description, data type, and policies (for Advanced tier). The service validates the name (must start with `/` for hierarchy, max 2048 chars) and value size (max 4KB Standard, 8KB Advanced). If `SecureString`, the value is encrypted with the specified KMS key (default `aws/ssm` if not specified). The parameter is stored in the SSM backend with a version number starting at 1. CloudTrail logs the `PutParameter` event.
Retrieve a Parameter from Code
Your application (e.g., Lambda function) calls `GetParameter` with the parameter name and optionally `WithDecryption=True` for `SecureString`. The SDK sends a signed HTTPS request to the SSM API. The service checks IAM permissions: the caller must have `ssm:GetParameter` on the specific parameter ARN. If allowed, the service returns the parameter value (decrypted if requested and KMS permissions allow) along with metadata (ARN, version, last modified date). The response is typically cached by the SDK? No, caching is not automatic; you can implement your own cache to reduce API calls and cost. The entire round trip takes a few milliseconds.
Update a Parameter with Versioning
Call `PutParameter` with the same name but a new value. The service increments the version number (e.g., from 1 to 2). The previous version is retained (up to 100 for Standard, 100,000 for Advanced). You can retrieve a specific version using `GetParameter` with `Version` parameter. You can also assign labels (e.g., `prod`, `rollback`) to specific versions. CloudTrail logs the `PutParameter` event. If the parameter has an expiration policy, the new version resets the expiration timer unless the policy is version-specific.
Delete a Parameter and Clean Up
Call `DeleteParameter` with the parameter name. The service marks the parameter as deleted. If the parameter has versions, all versions are deleted. CloudTrail logs the `DeleteParameter` event. You cannot recover a deleted parameter; you must recreate it. If you need to temporarily disable a parameter, consider using a label to point to a dummy value or use a policy to expire it. For Advanced tier, deletion also removes associated policies.
Reference Parameter in CloudFormation
In a CloudFormation template, use the dynamic reference `{{resolve:ssm:/myapp/dev/db_url}}` for `String` or `StringList` parameters. For `SecureString`, use `{{resolve:secretsmanager:...}}` instead (Parameter Store SecureString is not directly supported). When the stack is created/updated, CloudFormation calls `GetParameter` on your behalf (requires IAM permissions). The value is substituted in the template. This is useful for passing database URLs, AMI IDs, etc. Note: Changes to the parameter value do not automatically trigger stack updates; you must manually update the stack or use a custom resource.
Scenario 1: Microservices Configuration Management
A company runs 50 microservices on ECS Fargate. Each service has environment-specific configuration (database URLs, API endpoints, feature flags). Previously, they used environment variables in task definitions, but updating a value required redeploying the service. They migrated to Parameter Store: each service retrieves its configuration from a hierarchical path like /myapp/{service_name}/{environment}/. For example, the 'user-service' in production reads from /myapp/user-service/prod/db_url. They use the Advanced tier for the production environment to support parameter policies (e.g., expiration for temporary credentials). The IAM role for each ECS task definition has a policy granting ssm:GetParameter and ssm:GetParametersByPath on the service-specific path. This allows them to update configuration without redeployment: they change the parameter value, and the service picks it up on the next read (they implement a 5-minute cache with refresh). They also use CloudWatch Events to trigger a Lambda function that sends a notification to the team when a critical parameter changes.
Scenario 2: Securing Database Credentials
A web application uses RDS MySQL. The database password is stored as a SecureString in Parameter Store under /myapp/prod/db_password. The application (running on EC2 with SSM Agent) retrieves the password at startup using the AWS SDK with WithDecryption=True. The EC2 instance profile has permissions to ssm:GetParameter and kms:Decrypt on the specific KMS key. They rotate the password manually every 90 days by updating the parameter. For audit, they enable CloudTrail data events for GetParameter to log all access to the secret. They also set a NoChangeNotification policy to alert if the password hasn't been rotated in 80 days. One common misconfiguration: granting ssm:GetParameter on * instead of the specific parameter ARN, which would allow access to all parameters in the account.
Scenario 3: Sharing AMI IDs Across Accounts
A DevOps team manages a golden AMI pipeline. The latest AMI ID is stored in Parameter Store as a String with name /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 (AWS managed). They also store custom AMI IDs in /myapp/ami/latest. In CloudFormation templates, they use {{resolve:ssm:/myapp/ami/latest}} to automatically use the latest AMI when launching EC2 instances. This eliminates hard-coded AMI IDs and ensures instances always use the approved image. They also use aws:ec2:image data type to validate that the value is a valid AMI ID. One challenge: if the parameter is deleted accidentally, the next CloudFormation deployment fails. They mitigate this with a backup parameter and a Lambda function that replicates the value to another region for disaster recovery.
What DVA-C02 Tests on Parameter Store
The exam focuses on Objective 2.4: "Manage secrets and configuration data using AWS services." You will see questions that compare Parameter Store with Secrets Manager, test your knowledge of parameter tiers, policies, encryption, and integration with Lambda, EC2, and CloudFormation. Specific subtopics:
Differences between Standard and Advanced tiers (limits, cost, features like policies)
How to retrieve parameters from Lambda (SDK vs environment variables)
Dynamic references in CloudFormation (which types are supported, limitations)
IAM permissions required for GetParameter and PutParameter
When to use SecureString vs String vs StringList
Parameter policies (Expiration, ExpirationNotification, NoChangeNotification)
Versioning and labels
Integration with CloudTrail and CloudWatch Events
Common Wrong Answers and Why Candidates Choose Them
"Use Secrets Manager for storing non-sensitive configuration like a database URL." – Wrong because Secrets Manager is for secrets that require rotation; Parameter Store is cheaper and simpler for non-sensitive config. Candidates overuse Secrets Manager.
"Parameter Store supports automatic rotation of secrets." – Wrong. Parameter Store does not have built-in rotation; Secrets Manager does. Candidates confuse the two services.
"You can use `{{resolve:ssm-secure:/myparam}}` in CloudFormation for SecureString." – Wrong. CloudFormation dynamic references only support String and StringList types for SSM. For SecureString, you must use Secrets Manager or a custom resource. Candidates assume SecureString works.
"Standard tier parameters can have expiration policies." – Wrong. Parameter policies (Expiration, ExpirationNotification, NoChangeNotification) are only available in Advanced tier. Candidates forget this distinction.
"You can retrieve a parameter without IAM permissions if it's public." – Wrong. All Parameter Store access requires IAM authentication and authorization. There is no public parameter concept. Candidates think some parameters are world-readable.
Specific Numbers and Terms to Memorize
Standard tier: 10,000 parameters per account per region, 4 KB max size, 40 API calls/sec, free
Advanced tier: 100,000 parameters per account per region, 8 KB max size, 100 API calls/sec, $0.05/param/month + $0.05 per 10,000 API calls
Max name length: 2048 characters
Max versions retained: Standard 100, Advanced 100,000
Max labels per parameter: 10
CloudFormation dynamic reference syntax: {{resolve:ssm:parameter-name}} or {{resolve:ssm:parameter-name:version}}
SecureString uses KMS (default key aws/ssm or customer managed)
Edge Cases and Exceptions
If you call GetParameter on a SecureString without WithDecryption=True, you get the encrypted value (ciphertext). You must have kms:Decrypt permission to decrypt.
Parameter Store is not a global service; it is regional. Parameters are not replicated across regions automatically. Use Secrets Manager for cross-region replication.
Deleting a parameter is permanent; there is no soft delete or recycle bin.
Hierarchical names must start with /. Names without a slash are allowed but not recommended.
StringList type expects values separated by commas, e.g., "value1,value2,value3". The SDK returns a single string; you must parse it.
How to Eliminate Wrong Answers
If a question asks about storing a database password that must be rotated every 30 days, eliminate any answer that suggests Parameter Store (no rotation). If a question asks about storing a simple configuration value with minimal cost, eliminate Secrets Manager (more expensive). If a question mentions parameter policies, the answer must involve Advanced tier. If a question involves CloudFormation and SecureString, the correct answer will not use resolve:ssm directly; it will use Secrets Manager or a custom resource.
Parameter Store is a regional, serverless service for storing configuration data and secrets, with two tiers: Standard (free, 10,000 params, 4KB, 40 TPS) and Advanced (paid, 100,000 params, 8KB, 100 TPS).
Use String for plaintext, StringList for comma-separated values, and SecureString for encrypted secrets (encrypted with KMS, default key aws/ssm).
CloudFormation dynamic references ({{resolve:ssm:...}}) support only String and StringList; for SecureString, use Secrets Manager or a custom resource.
Parameter policies (Expiration, ExpirationNotification, NoChangeNotification) are only available for Advanced tier.
Access control is via IAM; you can restrict based on parameter path, name, and type. Enable CloudTrail data events to log GetParameter calls.
Versioning: Standard retains 100 versions, Advanced retains 100,000 versions. Labels can be assigned to versions (max 10 per parameter).
Parameter Store integrates with EC2 (SSM Agent), Lambda (SDK), CloudFormation, CodePipeline, ECS, and EventBridge.
For secrets requiring automatic rotation, prefer AWS Secrets Manager over Parameter Store.
Parameter names can be hierarchical (e.g., /myapp/dev/db_url) to organize parameters and simplify IAM policies.
Cost: Standard tier is free; Advanced tier costs $0.05 per parameter per month plus $0.05 per 10,000 API calls (first 10,000 free).
These come up on the exam all the time. Here's how to tell them apart.
AWS Systems Manager Parameter Store
Free for Standard tier (up to 10,000 parameters, 40 API calls/sec)
Maximum parameter value size: 4 KB (Standard) or 8 KB (Advanced)
No built-in automatic rotation; must implement manually
IAM policies control access; no resource-based policies
Supports hierarchical naming and parameter policies (Advanced tier)
AWS Secrets Manager
Cost: $0.40 per secret per month + $0.05 per 10,000 API calls
Maximum secret size: 64 KB (larger values can be stored in S3)
Built-in automatic rotation with configurable schedule (e.g., every 30 days)
Supports both IAM policies and resource-based policies (e.g., cross-account access)
Supports cross-region replication and automatic generation of random secrets
Mistake
Parameter Store can automatically rotate secrets like database passwords.
Correct
Parameter Store does not have built-in rotation. You must implement rotation manually via a scheduled Lambda function or use AWS Secrets Manager, which supports automatic rotation with a Lambda rotation function.
Mistake
Standard tier parameters support expiration policies.
Correct
Parameter policies (Expiration, ExpirationNotification, NoChangeNotification) are only available for Advanced tier parameters. Standard tier parameters cannot have policies.
Mistake
SecureString parameters can be used directly in CloudFormation dynamic references.
Correct
CloudFormation dynamic references `{{resolve:ssm:...}}` only support `String` and `StringList` types. For `SecureString`, you must use `{{resolve:secretsmanager:...}}` or a custom resource.
Mistake
Parameter Store is a global service and parameters are replicated across all regions.
Correct
Parameter Store is a regional service. Parameters are stored only in the region where they are created. To share parameters across regions, you must replicate them manually or use Secrets Manager with multi-region replication.
Mistake
You can retrieve a parameter without IAM permissions if you know the parameter name.
Correct
All Parameter Store API calls require IAM authentication and authorization. There is no public access. You must have explicit `ssm:GetParameter` permission on the parameter ARN.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Parameter Store is a free (Standard tier) or low-cost service for storing configuration data and secrets, but it does not automatically rotate secrets. Secrets Manager is a paid service that specializes in secrets management with built-in automatic rotation, cross-region replication, and resource-based policies. Use Parameter Store for non-sensitive configuration (database URLs, feature flags) and low-rotation secrets; use Secrets Manager for database credentials, API keys that need regular rotation, and cross-account sharing.
No, CloudFormation dynamic references ({{resolve:ssm:...}}) only support String and StringList types. For SecureString, you must use AWS Secrets Manager dynamic reference ({{resolve:secretsmanager:...}}) or implement a custom resource (e.g., a Lambda function) to retrieve the SecureString and pass it to the stack.
Use the AWS SDK (e.g., boto3 for Python). Call `ssm.get_parameter(Name='/my/param', WithDecryption=True)` for SecureString. Ensure the Lambda execution role has permissions: `ssm:GetParameter` on the parameter ARN and `kms:Decrypt` on the KMS key (for SecureString). You can also use Lambda environment variables to reference Parameter Store parameters via the console or CloudFormation, but this retrieves the value at deployment time, not at runtime.
You will receive a `ParameterLimitExceeded` error when trying to create a new parameter. You must either delete unused parameters or upgrade to the Advanced tier (which allows up to 100,000 parameters). You can also request a service quota increase for Advanced tier parameters.
Parameter Store does not natively support cross-account sharing. You can use IAM roles with cross-account trust to allow other accounts to assume a role that has access to the parameter. Alternatively, use Secrets Manager which supports resource-based policies for cross-account access.
Use the `DeleteParameter` API call (CLI: `aws ssm delete-parameter --name <name>`). This is irreversible; there is no soft delete or recycle bin. All versions are deleted. For advanced tier, associated policies are also removed.
Standard tier: 4 KB (4096 characters). Advanced tier: 8 KB (8192 characters). For larger values, store the data in S3 and store the S3 object key or presigned URL as the parameter value.
You've just covered AWS Systems Manager Parameter Store — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?