This chapter covers AWS Systems Manager Parameter Store, focusing on the Advanced Tier and SecureString parameters. Parameter Store is a managed service for storing configuration data and secrets, and understanding its tiers and encryption options is critical for the SAA-C03 exam, which tests how to securely manage secrets in AWS. Approximately 5-7% of exam questions touch on Parameter Store, often in comparison to AWS Secrets Manager or in scenarios involving secure storage of database credentials, API keys, or configuration strings. By the end of this chapter, you will know exactly when to use Standard vs. Advanced tiers, how SecureString encryption works with AWS KMS, and how to avoid common exam traps.
Jump to a section
Imagine a hotel with two types of safe deposit boxes in the lobby. Standard boxes are unlocked and anyone can read the contents if they can open the door. SecureString boxes are locked with a special key that only the hotel manager (AWS KMS) can duplicate. When a guest (an application) wants to store a secret like a credit card number, they place it in a SecureString box and the manager locks it with a unique key. The manager also keeps a log of who accessed each box and when. If a guest later needs the secret, they must show proper ID (IAM permissions) and request the manager to unlock the box. The manager retrieves the key, decrypts the contents, and hands the secret to the guest. The manager never gives out the key itself—only the decrypted value. This ensures that even if someone breaks into the lobby and steals the boxes, they cannot read the SecureString contents without the manager's keys. Additionally, the hotel offers a premium tier for guests who need more boxes or longer retention—this is the Advanced Tier, which also supports larger boxes and automatic key rotation. The standard tier is free but limited to smaller boxes and no automatic rotation.
What is AWS Systems Manager Parameter Store?
AWS Systems Manager Parameter Store is a hierarchical store for configuration data and secrets. It allows you to store values such as passwords, database connection strings, license codes, and AMI IDs as parameters. Parameters can be referenced in AWS CloudFormation templates, EC2 user data scripts, Lambda functions, and other AWS services via Systems Manager APIs. The service is fully managed, highly scalable, and provides a secure way to decouple configuration from application code.
Parameter Store offers two tiers: Standard and Advanced. The Standard tier is free, with a maximum parameter size of 4 KB and a limit of 10,000 parameters per AWS account and region. The Advanced tier is not free; it costs $0.05 per parameter per month (plus API usage charges), supports parameters up to 8 KB, and allows up to 100,000 parameters per account and region. Advanced-tier parameters also support policies such as expiration notifications and automatic rotation (via integration with AWS Secrets Manager).
SecureString Parameter Type
Parameter Store supports three parameter types:
String: Plain text (unencrypted)
StringList: A comma-separated list of plain text values
SecureString: Encrypted text, using either the default AWS managed KMS key (aws/ssm) or a customer managed KMS key.
SecureString is the only type that provides encryption at rest. When you create a SecureString parameter, Parameter Store uses the specified KMS key to encrypt the value. When you retrieve the parameter, if you have the necessary KMS decrypt permissions, Parameter Store decrypts the value and returns it in plain text. If you do not have decrypt permissions, the API call fails. This ensures that secrets are never stored in plain text and access is tightly controlled.
How SecureString Encryption Works Internally
When you create a SecureString parameter, the following steps occur:
1. You provide the parameter value (e.g., a password) and specify a KMS key ID (or use the default aws/ssm key).
2. Parameter Store calls KMS to generate a data key (a symmetric encryption key) using the specified KMS key. KMS returns two versions of the data key: a plaintext copy and an encrypted copy.
3. Parameter Store uses the plaintext data key to encrypt the parameter value using AES-256-GCM (Galois/Counter Mode). It then discards the plaintext data key from memory.
4. The encrypted parameter value is stored alongside the encrypted data key (which is stored as part of the parameter metadata).
5. When you retrieve the parameter, Parameter Store first checks that you have ssm:GetParameter permission. Then it calls KMS to decrypt the encrypted data key (requiring kms:Decrypt permission on the KMS key). Once decrypted, Parameter Store uses the plaintext data key to decrypt the parameter value and returns it to you.
This envelope encryption approach ensures that the actual encryption key is never stored in plain text and that each parameter can be encrypted with a unique data key. The KMS key itself is used only to encrypt the data key, not the parameter value directly.
Key Components: Values, Defaults, and Timers
Default KMS key: aws/ssm (AWS managed). This key is created automatically in your account when you first use SecureString. It is regional and cannot be deleted. Using a customer managed key gives you more control, such as key rotation, key policies, and the ability to disable or revoke access.
Maximum parameter size: Standard tier: 4 KB. Advanced tier: 8 KB. This includes the key name and value. For larger values, consider using AWS Secrets Manager (up to 64 KB) or storing the value in S3 and referencing the object key.
Parameter name length: Maximum 2048 characters. Names are hierarchical (e.g., /prod/db/password) and support path-based access.
Parameter policies (Advanced tier only): You can attach a JSON policy to an Advanced parameter to enforce expiration, expiration notification, or automatic rotation (via Secrets Manager integration). Example policy:
{
"Type": "Expiration",
"Version": "1.0",
"Attributes": {
"Timestamp": "2025-12-31T23:59:59Z"
}
}API Throttling: Standard tier: 40 API calls per second per account per region. Advanced tier: 100 API calls per second per account per region. You can request higher limits.
Versioning: Each time you update a parameter, Parameter Store creates a new version. You can retrieve a specific version using the GetParameter API with the Version parameter. The maximum number of versions is 100 per parameter.
Tags: Parameters can be tagged for cost allocation and access control. Tags are not automatically inherited from the parent path.
Configuration and Verification Commands
Creating a SecureString parameter using the AWS CLI:
aws ssm put-parameter \
--name "/prod/db/password" \
--value "MySecretPassword123!" \
--type SecureString \
--key-id alias/my-custom-key \
--tier Advanced \
--tags Key=Environment,Value=Production--type SecureString is required for encryption.
--key-id specifies the KMS key (key ID, ARN, alias name, or alias ARN). If omitted, the default aws/ssm key is used.
--tier defaults to Standard if not specified.
Retrieving a parameter value (decrypted):
aws ssm get-parameter \
--name "/prod/db/password" \
--with-decryption--with-decryption is required to get the plaintext value. Without it, the response includes only metadata and a Value field that is **** (hidden).
Listing parameters with pagination:
aws ssm describe-parameters --max-results 50Adding a policy to an Advanced parameter:
aws ssm add-tags-to-resource \
--resource-type "Parameter" \
--resource-id "/prod/db/password" \
--tags Key=Expiration,Value=2025-12-31Note: Policies are attached via aws ssm tag-resource but the policy itself is a JSON string in the Tags parameter. The correct command uses put-parameter with --policies:
aws ssm put-parameter \
--name "/prod/db/password" \
--value "newpassword" \
--type SecureString \
--tier Advanced \
--policies '[{"Type":"Expiration","Version":"1.0","Attributes":{"Timestamp":"2025-12-31T23:59:59Z"}}]'Interaction with Related Technologies
AWS Secrets Manager: Parameter Store Advanced tier can integrate with Secrets Manager for automatic rotation. You can create a SecureString parameter that references a Secrets Manager secret for rotation. However, Secrets Manager is a separate service with its own cost ($0.40 per secret per month) and features like automatic rotation for RDS, Redshift, and DocumentDB. The exam often contrasts the two: Parameter Store is for smaller secrets and configuration, while Secrets Manager is for larger secrets (up to 64 KB) and automatic rotation.
AWS KMS: SecureString parameters rely on KMS for encryption. You must have proper KMS key policies and IAM permissions. The default aws/ssm key has a resource policy that allows the AWS SSM service to use it. If you use a customer managed key, you must add a key policy that grants kms:Encrypt and kms:Decrypt to the ssm.amazonaws.com service principal.
IAM Policies: To create a SecureString parameter, you need ssm:PutParameter and kms:Encrypt permissions. To retrieve (decrypt), you need ssm:GetParameter and kms:Decrypt. To list parameters, you need ssm:DescribeParameters. The exam tests that you cannot retrieve a SecureString value without kms:Decrypt even if you have ssm:GetParameter.
AWS CloudFormation: You can create Parameter Store parameters in CloudFormation using the AWS::SSM::Parameter resource. For SecureString, you must specify the Type as SecureString and optionally KeyId. CloudFormation supports dynamic references like {{resolve:ssm-secure:/prod/db/password:1}} to reference a specific version of a SecureString parameter.
AWS Lambda: Lambda functions can retrieve parameters using the AWS SDK. Best practice is to cache the parameter value to reduce API calls and latency. Lambda execution roles need the appropriate SSM and KMS permissions.
EC2 Systems Manager: EC2 instances with the SSM Agent can access parameters. You can use parameters in Run Command, State Manager, and Automation documents. For SecureString, the instance must have a role with kms:Decrypt permission.
Advanced Tier Policies: Expiration and Notifications
Advanced-tier parameters support three policy types: 1. Expiration: Automatically deletes the parameter after a specified timestamp. Useful for temporary credentials. 2. ExpirationNotification: Sends an Amazon CloudWatch Events (now Amazon EventBridge) event before expiration. You can configure a number of days before expiration (e.g., 7, 14, 30 days) to trigger notifications. This allows you to set up automated responses like sending an email via SNS or invoking a Lambda function to rotate the secret. 3. NoChangeNotification: Sends a notification if the parameter has not been modified for a specified number of days. This helps detect stale configuration.
These policies are only available for Advanced-tier parameters. Standard-tier parameters have no policy support.
Cost Considerations
Standard tier: Free for parameters and API calls (up to 10,000 parameters, 40 API calls/sec).
Advanced tier: $0.05 per parameter per month (prorated hourly). API calls: $0.0001 per GetParameter and GetParameters, $0.05 per PutParameter (first 10,000 calls free per month).
KMS costs: The default aws/ssm key incurs no additional KMS charges. Customer managed keys cost $1 per key per month and $0.03 per 10,000 API calls (encrypt/decrypt).
Security Best Practices
Always use SecureString for secrets, never String or StringList.
Use a customer managed KMS key with a strict key policy that limits which IAM roles can decrypt.
Use least-privilege IAM policies: grant kms:Decrypt only to roles that need to read secrets.
Enable CloudTrail to log all Parameter Store API calls for auditing.
Use Advanced tier with expiration policies for temporary secrets.
Avoid storing large secrets (over 8 KB) in Parameter Store; use Secrets Manager or S3 instead.
Use parameter hierarchies (e.g., /app/env/param) to organize and apply path-based IAM policies.
Common Exam Scenarios
The SAA-C03 exam often asks you to choose between Parameter Store and Secrets Manager, or between Standard and Advanced tiers. Typical scenarios:
Storing database passwords: SecureString is always the answer. If automatic rotation is needed, use Secrets Manager. If not, Parameter Store is sufficient.
Storing configuration data (e.g., AMI ID, endpoint URL): Use String type (no encryption needed). If the value is sensitive (e.g., API key), use SecureString.
Storing a large secret (e.g., a 10 KB private key): Parameter Store cannot store it (max 8 KB Advanced). Use Secrets Manager or store in S3 with encryption.
Need to enforce parameter expiration: Must use Advanced tier.
High throughput: Advanced tier offers 100 API calls/sec vs 40 for Standard.
Cost optimization: If you have many parameters (over 10,000) or need policies, Advanced tier is required. Otherwise, Standard is free.
Integration with AWS Secrets Manager
Parameter Store Advanced tier can be linked to Secrets Manager for automatic rotation. You create a parameter of type SecureString and specify a Secrets Manager secret ARN as the source. When the secret rotates, the parameter value updates automatically. This is useful for services that cannot directly use Secrets Manager but can read Parameter Store. However, you still pay for both the parameter and the secret.
Limitation: No Automatic Rotation Natively
Parameter Store itself does not support automatic rotation of secrets. Only Secrets Manager provides built-in rotation for RDS, Redshift, DocumentDB, and other services. If you need rotation, you must either use Secrets Manager directly or implement a custom rotation solution (e.g., Lambda function triggered by EventBridge).
Summary of Differences: Standard vs. Advanced
| Feature | Standard | Advanced | |---------|----------|----------| | Cost | Free | $0.05/parameter/month | | Max parameters per account/region | 10,000 | 100,000 | | Max parameter size | 4 KB | 8 KB | | API throughput | 40 calls/sec | 100 calls/sec | | Parameter policies | Not supported | Supported (Expiration, ExpirationNotification, NoChangeNotification) | | Integration with Secrets Manager for rotation | No | Yes (via reference) | | Prorated billing | N/A | Per hour |
Verification Steps
To verify a SecureString parameter is encrypted:
1. Use aws ssm get-parameter --name <name> (without --with-decryption). The response will show Type: SecureString and Value: ****.
2. Use aws ssm get-parameter --name <name> --with-decryption to see the plaintext value. If you lack kms:Decrypt, you get an access denied error.
3. Check CloudTrail events for PutParameter and GetParameter to audit access.
Troubleshooting
Access denied when retrieving SecureString: Ensure the IAM role has ssm:GetParameter and kms:Decrypt on the specific KMS key. Check key policy for the aws/ssm service principal if using custom key.
Parameter not found: Verify the parameter name (case-sensitive) and region. Use aws ssm describe-parameters to list.
InvalidParameterValue: The value size exceeds the tier limit (4 KB Standard, 8 KB Advanced). Use a larger tier or compress the value.
Throttling: Reduce API call frequency, use caching, or request a throughput increase.
Conclusion
Parameter Store is a versatile tool for managing configuration and secrets. The SecureString type provides encryption at rest via KMS, and the Advanced tier adds policies and higher limits. For the SAA-C03 exam, focus on understanding the differences between Standard and Advanced, the encryption process, and when to use Parameter Store vs. Secrets Manager. Master the IAM and KMS permissions required for SecureString access, as this is a common exam trap.
Create a KMS Key
First, decide whether to use the default AWS managed key (`aws/ssm`) or create a customer managed key (CMK). A CMK gives you more control, including the ability to rotate keys, define key policies, and disable the key. To create a CMK, navigate to the AWS KMS console, choose 'Create key', select 'Symmetric', and assign a key policy that grants the SSM service principal (`ssm.amazonaws.com`) permissions to use the key for encrypt and decrypt operations. The key policy must also grant the necessary IAM roles/users access to decrypt. The default key is automatically created the first time you create a SecureString parameter and requires no setup.
Create the SecureString Parameter
Using the AWS CLI, AWS Management Console, or SDK, call `PutParameter` with `--type SecureString` and optionally `--key-id` to specify the KMS key. The parameter name should follow a hierarchical path, e.g., `/production/database/primary_password`. The value is the secret you want to store. If using the Advanced tier, add `--tier Advanced`. You can also attach policies at creation time using `--policies`. The service then encrypts the value using envelope encryption: it calls KMS to generate a data key, encrypts the value with that data key, and stores the encrypted value and encrypted data key together.
Set IAM Permissions
Create an IAM policy that grants the necessary permissions to the roles or users that will access the parameter. For reading a SecureString parameter, the policy must include `ssm:GetParameter` (or `ssm:GetParameters` for multiple) and `kms:Decrypt` on the specific KMS key. For writing, include `ssm:PutParameter` and `kms:Encrypt`. Use condition keys like `ssm:Recursive` to limit access to a path hierarchy. For example, `"Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/production/*"` restricts to parameters under `/production/`. Attach the policy to an IAM role (e.g., for EC2 instances or Lambda functions).
Retrieve the Parameter in Application
In your application code, use the AWS SDK to call `getParameter` with `WithDecryption` set to `true`. For example, in Python using boto3: `ssm = boto3.client('ssm', region_name='us-east-1'); response = ssm.get_parameter(Name='/production/database/primary_password', WithDecryption=True); password = response['Parameter']['Value']`. The SDK automatically handles the KMS decryption if the IAM role has the necessary permissions. For EC2 instances, the instance profile role must have the permissions. For Lambda, the execution role must have them. Cache the parameter value to reduce API calls and avoid throttling.
Monitor and Rotate Secrets
Set up CloudTrail to log all `GetParameter` and `PutParameter` calls for auditing. For Advanced-tier parameters, you can attach an `ExpirationNotification` policy to receive alerts before the secret expires. If automatic rotation is required, integrate with AWS Secrets Manager by creating a secret in Secrets Manager and referencing it in the parameter. Alternatively, use a custom Lambda function triggered by EventBridge to rotate the secret and update the parameter. Regularly review access patterns and rotate KMS keys if using a CMK (enable automatic rotation for CMKs). Remove unused parameters to reduce cost and attack surface.
Enterprise Scenario 1: Database Credentials for Microservices
A large e-commerce company runs hundreds of microservices on ECS Fargate. Each service needs database credentials for a different database (e.g., product catalog, user profiles). They use Parameter Store to store each database password as a SecureString parameter under a hierarchical path like /dev/prod-catalog/db/password. The services retrieve the password at startup and cache it in memory. The company uses the Standard tier because they have fewer than 10,000 parameters and the passwords are under 4 KB. They use a customer managed KMS key per environment (dev, test, prod) to isolate access. The IAM roles for each service are scoped to only their path using ssm:Recursive and kms:Decrypt on the specific key. This setup is cost-effective (free tier) and secure. However, they faced a problem when a developer accidentally stored a 5 KB TLS certificate in a Standard tier parameter, causing an error. They had to either move to Advanced tier or store the certificate in S3. The lesson: always check the size limit.
Enterprise Scenario 2: Temporary Credentials for External Integrations
A financial services company needs to store API keys for third-party payment gateways that expire every 90 days. They use Advanced-tier SecureString parameters with an Expiration policy set to 90 days from creation. They also attach an ExpirationNotification policy to send a CloudWatch event 7 days before expiration. This event triggers a Lambda function that generates a new API key from the provider and updates the parameter. The company has 500 such parameters, so the cost is $25 per month (500 * $0.05). They chose Advanced tier because they need the policy support and the higher API throughput (100 calls/sec) during peak hours. Without the expiration policy, they would have to manually track and rotate keys. A common mistake is forgetting to set the Expiration policy when creating the parameter, leading to stale keys. They use AWS Config rules to detect parameters without expiration tags.
Enterprise Scenario 3: Hybrid Cloud Configuration
A manufacturing company uses AWS for analytics but also has on-premises servers that need to access configuration data. They use Systems Manager Hybrid Activations to register on-premises servers as managed instances. These servers run the SSM Agent and can access Parameter Store parameters. They store the connection string for an on-premises database as a SecureString parameter. The on-premises servers have an IAM role (via a service role) that includes ssm:GetParameter and kms:Decrypt. They use the Standard tier because they have only a few parameters. A challenge was ensuring the on-premises servers had the correct KMS key permissions, as they had to include the key policy to allow the IAM role to decrypt. Misconfiguration led to 'AccessDenied' errors during decryption. They resolved it by using the default aws/ssm key initially, then later migrating to a custom key with proper policies. The key takeaway: test permissions thoroughly in a non-production environment.
Exactly What SAA-C03 Tests
The SAA-C03 exam tests Parameter Store under Domain 1: Secure Architectures, Objective 1.2: "Design a secure architecture for control and management of AWS resources." Specifically, you must know:
How to securely store secrets using SecureString and KMS.
The differences between Standard and Advanced tiers (cost, limits, policies).
When to use Parameter Store vs. AWS Secrets Manager.
IAM and KMS permissions required for SecureString access.
How parameter hierarchies work for path-based access control.
Common Wrong Answers and Why Candidates Choose Them
Choosing Secrets Manager for all secrets: Many candidates think Secrets Manager is always better because it supports rotation. But if rotation is not needed, Parameter Store (Standard tier) is free and simpler. The exam will give a scenario with no rotation requirement; the correct answer is Parameter Store.
Using String type for secrets: Candidates might overlook the encryption requirement and choose String for simplicity. The exam explicitly asks for secure storage; SecureString is always the answer.
Assuming Advanced tier is required for all SecureString: SecureString works with Standard tier too. The exam may ask for cost optimization; if the secret is under 4 KB and no policies are needed, Standard is correct.
Forgetting KMS permissions: The exam often presents a scenario where a developer can retrieve a parameter but gets an error. The answer is that the IAM role lacks kms:Decrypt on the KMS key. Many candidates miss this because they focus only on SSM permissions.
Mixing up parameter size limits: Some candidates think Standard tier supports 8 KB. The exam will test the exact limits: 4 KB Standard, 8 KB Advanced.
Specific Numbers and Terms to Memorize
Standard tier: 10,000 parameters, 4 KB size, 40 API calls/sec, free.
Advanced tier: 100,000 parameters, 8 KB size, 100 API calls/sec, $0.05/parameter/month.
SecureString uses KMS envelope encryption with data keys.
Default KMS key: aws/ssm.
To decrypt: need ssm:GetParameter and kms:Decrypt.
Parameter policies: Expiration, ExpirationNotification, NoChangeNotification (Advanced only).
Maximum parameter name length: 2048 characters.
Versioning: up to 100 versions per parameter.
Edge Cases and Exceptions
If you use a customer managed KMS key and then disable or delete it, all SecureString parameters encrypted with that key become permanently inaccessible. The exam may test this as a disaster recovery scenario.
Parameter Store does not support cross-region replication. You must manually recreate parameters in each region.
Advanced tier parameters can reference Secrets Manager secrets for rotation, but the parameter itself is still subject to the 8 KB limit.
The aws/ssm key cannot be used for other services; it is dedicated to SSM.
You cannot convert a Standard parameter to Advanced without recreating it.
How to Eliminate Wrong Answers
If the scenario mentions automatic rotation, the answer is Secrets Manager (not Parameter Store).
If the scenario mentions cost optimization and the secret is small, choose Parameter Store Standard tier.
If the scenario mentions large secrets (over 8 KB), eliminate Parameter Store entirely.
If the scenario mentions expiration policies, the answer must involve Advanced tier.
For access errors, always check KMS permissions first.
Exam Question Patterns
"A company needs to store database passwords securely and retrieve them from EC2 instances. What is the MOST cost-effective solution?" Answer: Parameter Store SecureString with Standard tier (if no rotation needed).
"An application needs to store a 10 KB configuration file securely. Which service should be used?" Answer: AWS Secrets Manager (or S3 with encryption), because Parameter Store max is 8 KB.
"A developer can retrieve a parameter but the value is '****'. What is the issue?" Answer: They did not use the --with-decryption flag or the SDK equivalent.
"Which tier supports parameter expiration policies?" Answer: Advanced.
Master these patterns, and you will confidently answer Parameter Store questions on the SAA-C03 exam.
SecureString parameters use KMS envelope encryption; you need both ssm:GetParameter and kms:Decrypt permissions to retrieve the plaintext value.
Standard tier is free but limited to 10,000 parameters, 4 KB each, and 40 API calls/sec; Advanced tier costs $0.05/parameter/month, supports 100,000 parameters, 8 KB each, 100 API calls/sec, and parameter policies.
Parameter policies (Expiration, ExpirationNotification, NoChangeNotification) are only available for Advanced-tier parameters.
The default KMS key for SecureString is aws/ssm; using a customer managed key provides more control but requires proper key policy.
Parameter Store does not support automatic rotation natively; use Secrets Manager for rotation or implement a custom solution.
Parameter names are hierarchical and can be up to 2048 characters; use path-based IAM policies with ssm:Recursive condition key for access control.
On the exam, if a scenario requires automatic rotation, choose Secrets Manager; if cost is a concern and no rotation needed, choose Parameter Store Standard tier.
Always use SecureString type for secrets; never use String or StringList for sensitive data.
These come up on the exam all the time. Here's how to tell them apart.
Parameter Store Standard Tier
Free of charge
Max 10,000 parameters per account/region
Max parameter size 4 KB
40 API calls per second per account/region
No support for parameter policies (expiration, notifications)
Parameter Store Advanced Tier
Cost: $0.05 per parameter per month
Max 100,000 parameters per account/region
Max parameter size 8 KB
100 API calls per second per account/region
Supports policies: Expiration, ExpirationNotification, NoChangeNotification
Parameter Store SecureString
Max size: 4 KB (Standard) or 8 KB (Advanced)
No native automatic rotation; can integrate with Secrets Manager
Cost: free (Standard) or $0.05/param/month (Advanced) + KMS costs
Supports versioning (up to 100 versions)
Policies only in Advanced tier
AWS Secrets Manager
Max size: 64 KB
Built-in automatic rotation for RDS, Redshift, DocumentDB, etc.
Cost: $0.40 per secret per month + rotation costs
Supports versioning (stages like AWSCURRENT, AWSPREVIOUS)
Supports cross-region replication and resource-based policies
Mistake
SecureString parameters are encrypted only in transit, not at rest.
Correct
SecureString parameters are encrypted at rest using AWS KMS. The value is encrypted before storage and decrypted only when retrieved with proper permissions. The encryption happens at the service side, not in transit.
Mistake
You must use a customer managed KMS key for SecureString.
Correct
You can use the default AWS managed key `aws/ssm` at no additional cost. A customer managed key is optional and provides more control.
Mistake
Advanced tier is required for SecureString parameters.
Correct
SecureString works with both Standard and Advanced tiers. The tier choice affects size limits, number of parameters, and policy support, but not encryption.
Mistake
Parameter Store supports automatic rotation of secrets natively.
Correct
Parameter Store does not have built-in automatic rotation. You must use AWS Secrets Manager or a custom solution (e.g., Lambda) to rotate secrets. Advanced tier can reference Secrets Manager for rotation.
Mistake
You can store up to 64 KB in Parameter Store.
Correct
The maximum size is 4 KB for Standard tier and 8 KB for Advanced tier. For larger values, use Secrets Manager (64 KB) or store in S3 and reference the key.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Parameter Store is a free (Standard tier) or low-cost (Advanced tier) service for storing configuration data and secrets up to 8 KB. It does not support automatic rotation natively. Secrets Manager costs $0.40 per secret per month, supports secrets up to 64 KB, and provides built-in automatic rotation for AWS database services. For the SAA-C03 exam, choose Secrets Manager when rotation is required, and Parameter Store when you need a cost-effective solution for static secrets or configuration.
Yes, you can use the same KMS key (customer managed or default) to encrypt multiple SecureString parameters. Each parameter is encrypted with a unique data key generated by that KMS key, so using one key is secure and simplifies key management. However, if you need to isolate access, use separate KMS keys per environment or application.
Use the AWS SDK in your Lambda function to call the SSM GetParameter API with WithDecryption=True. The Lambda execution role must have permissions for ssm:GetParameter and kms:Decrypt on the KMS key. Cache the value to reduce API calls. Example in Python: `ssm = boto3.client('ssm'); response = ssm.get_parameter(Name='/my/secret', WithDecryption=True); secret = response['Parameter']['Value']`.
If you delete a customer managed KMS key (or schedule deletion), all SecureString parameters encrypted with that key become permanently unreadable. You will not be able to decrypt them, even if you have the correct IAM permissions. To avoid data loss, never delete a key that is still in use. You can disable the key instead, which will cause decryption to fail until re-enabled.
Yes, you can store any text, including JSON, as a SecureString parameter. The size limit (4 KB Standard, 8 KB Advanced) applies to the entire value. If your JSON is larger, consider compressing it or using Secrets Manager. When retrieving, you will get the JSON string and can parse it in your application.
Parameter Store does not have built-in rotation. You can either: (1) Use AWS Secrets Manager and create a parameter that references the secret (Advanced tier only), (2) Build a custom rotation using a Lambda function triggered by EventBridge (e.g., based on expiration policy), (3) Use a scheduled CloudWatch Events rule to invoke a Lambda that updates the parameter. The exam expects you to know that Secrets Manager is the native rotation solution.
Parameter Store supports up to 100 versions per parameter. Each time you update a parameter (using PutParameter), a new version is created. Older versions are retained and can be retrieved by specifying the version number. After 100 versions, the oldest version is deleted automatically.
You've just covered Parameter Store Advanced Tiers and SecureString — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?