This chapter covers AWS Systems Manager Parameter Store, a secure, hierarchical service for storing and managing configuration data and secrets. For the SOA-C02 exam, understanding Parameter Store is critical because it appears in roughly 8-12% of questions across Deployment, Security, and Operations domains. You will need to know its features, pricing tiers, integration with other AWS services, and how it differs from AWS Secrets Manager. This chapter provides the depth required to answer exam questions confidently and to apply Parameter Store effectively in real-world scenarios.
Jump to a section
Imagine a large government department where many offices need access to shared configuration data like database connection strings, API keys, or feature flags. Instead of each office storing this information in their own notebooks (which would be insecure and hard to update), the department installs a single, secure filing cabinet in a locked room. Only authorized personnel have keys to the room (IAM policies) and specific keys to individual drawers (parameters). When an office needs a value, they send a request to the cabinet room: "Give me the value from drawer 'database_url'." The clerk checks the requester's identity and permissions, then retrieves the value from the correct drawer. If the value is sensitive (like a password), the clerk provides it encrypted, and the office must decrypt it themselves using a master key (KMS). The department also keeps a history of every time a drawer was accessed or its contents changed (CloudTrail). This central cabinet ensures that when the database URL changes, only one place needs updating, and all offices immediately get the new value on their next request. No more chasing down outdated notebooks or exposing secrets in code.
What is AWS Systems Manager Parameter Store?
AWS Systems Manager Parameter Store is a fully managed, serverless service that provides a centralized store for configuration data and secrets. It is designed to decouple configuration from application code, allowing you to manage values like database connection strings, license keys, AMI IDs, and feature flags separately from your application logic. Parameter Store is part of the AWS Systems Manager suite and integrates deeply with other AWS services such as EC2, Lambda, CloudFormation, and CodePipeline.
Why Parameter Store Exists
Before Parameter Store, administrators often hardcoded configuration values into application code, configuration files, or environment variables. This approach led to several problems: security risks (secrets exposed in code repositories), operational overhead (updating values across multiple environments), and lack of auditability. Parameter Store solves these by providing:
Secure storage for plaintext and ciphertext parameters.
Hierarchical structure using paths (e.g., /prod/database/url) for organization.
Versioning to track changes and roll back if needed.
Integration with AWS KMS for encryption of sensitive data.
Access control via IAM policies.
Audit trail via AWS CloudTrail.
How Parameter Store Works Internally
When you create or update a parameter, Parameter Store stores the value in a highly available, encrypted database within the AWS Region. The service automatically replicates data across multiple Availability Zones for durability. When a client (e.g., an EC2 instance via SSM Agent) requests a parameter, it sends an API call to the Parameter Store endpoint. The service validates the caller's IAM permissions, retrieves the parameter, and returns it. If the parameter is encrypted, the service returns the ciphertext; the client must then use KMS to decrypt it. Parameter Store supports two tiers: Standard and Advanced. The Standard tier is free, with a maximum parameter size of 4 KB and a limit of 10,000 parameters per account per Region. The Advanced tier costs a small fee, supports parameters up to 8 KB, allows up to 100,000 parameters per account per Region, and provides policies for expiration and notification.
Key Components, Values, Defaults, and Timers
Parameter Name: A unique name within a hierarchy. Example: /myapp/production/db/url. The hierarchy is delineated by forward slashes (/).
Parameter Value: The actual data, which can be a string, string list, or secure string. Maximum size: 4 KB (Standard) or 8 KB (Advanced).
Type: String, StringList, or SecureString. SecureString uses KMS encryption.
Tier: Standard (default) or Advanced. You can specify the tier when creating the parameter.
Key ID: The KMS key used to encrypt SecureString parameters. Can be a key ARN, alias, or ID. Default is the AWS managed key (alias/aws/ssm).
Version: Automatically incremented with each update. You can reference a specific version using the :version notation.
Policies (Advanced tier only): Allow you to set expiration and notification rules. For example, you can expire a parameter after a certain date or send an Amazon SNS notification when a parameter is about to expire.
CloudTrail: Every API call to Parameter Store is logged, including GetParameter, PutParameter, DeleteParameter, etc.
Throttling: Parameter Store has a default quota of 1,000 transactions per second (TPS) per account per Region for GetParameter and GetParameters API calls. This can be increased by requesting a limit increase.
Configuration and Verification Commands
To interact with Parameter Store, you typically use the AWS CLI, SDK, or the AWS Management Console. Common CLI commands include:
Create a parameter:
aws ssm put-parameter \
--name "/myapp/dev/db/url" \
--value "jdbc:mysql://localhost:3306/mydb" \
--type StringCreate a SecureString parameter using a custom KMS key:
aws ssm put-parameter \
--name "/myapp/prod/db/password" \
--value "MyP@ssw0rd!" \
--type SecureString \
--key-id "alias/my-kms-key"Retrieve a parameter (with decryption for SecureString):
aws ssm get-parameter \
--name "/myapp/prod/db/password" \
--with-decryptionRetrieve multiple parameters by path:
aws ssm get-parameters-by-path \
--path "/myapp/prod/" \
--recursive \
--with-decryptionList parameters:
aws ssm describe-parametersDelete a parameter:
aws ssm delete-parameter \
--name "/myapp/dev/db/url"Label a parameter version (Advanced tier):
aws ssm label-parameter-version \
--name "/myapp/prod/db/url" \
--parameter-version 2 \
--labels "production-release"How Parameter Store Interacts with Related Technologies
AWS Lambda: You can retrieve parameters from Lambda using the AWS SDK. For example, using the boto3 library in Python:
import boto3
ssm = boto3.client('ssm')
parameter = ssm.get_parameter(Name='/myapp/db/url', WithDecryption=True)
url = parameter['Parameter']['Value']EC2 Systems Manager (SSM Agent): EC2 instances with SSM Agent installed can retrieve parameters using the aws ssm get-parameter CLI command or through the SSM Agent's built-in parameter retrieval capability. This is often used in bootstrapping scripts.
CloudFormation: You can use dynamic references in CloudFormation templates to reference Parameter Store parameters. For example:
Parameters:
DBPassword:
Type: AWS::SSM::Parameter::Value<String>
Default: /myapp/prod/db/passwordAWS Secrets Manager: While Parameter Store can store secrets, AWS Secrets Manager is designed specifically for secrets management with automatic rotation and finer-grained access control. The exam often compares the two.
AWS AppConfig: AppConfig uses Parameter Store as a source for feature flags and configuration data, providing validation and gradual deployment.
AWS CodePipeline and CodeBuild: You can reference parameters for build environment variables or deployment configurations.
Parameter Store Policies (Advanced Tier)
Advanced tier parameters support policies that automate lifecycle management. Policies are JSON documents attached to a parameter. For example:
{
"Type": "Expiration",
"Version": "1.0",
"Attributes": {
"Timestamp": "2025-12-31T23:59:59Z"
}
}You can also set a notification policy that sends an SNS notification when a parameter expires or is about to expire. Policies are immutable once created; you must delete the parameter and recreate it to change the policy.
Security and Access Control
Access to Parameter Store is controlled by IAM. Actions such as ssm:GetParameter, ssm:PutParameter, ssm:DeleteParameter, and ssm:DescribeParameters are used. For SecureString parameters, you also need kms:Decrypt permission on the KMS key. IAM policies can restrict access to specific parameter paths. Example policy that allows read access only to parameters under /myapp/prod/:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/myapp/prod/*"
}
]
}Note that the resource ARN for parameters uses parameter/ after the account ID (e.g., arn:aws:ssm:us-east-1:123456789012:parameter/myapp/prod/*).
Monitoring and Logging
CloudTrail: Logs all Parameter Store API calls. You can use CloudTrail to audit who accessed which parameter and when.
Amazon CloudWatch: You can monitor metrics like GetParameter calls and throttling events using CloudWatch metrics for Systems Manager.
AWS Config: You can use Config rules to enforce that parameters are encrypted (SecureString) or that they have specific policies.
Common Use Cases
Database connection strings: Store connection strings as SecureString parameters and retrieve them at runtime.
License keys: Store software license keys securely.
AMI IDs: Store the latest approved AMI ID for EC2 instances, updating it as new AMIs are released.
Feature flags: Use String parameters to toggle features on/off without redeploying code.
Environment-specific configuration: Use hierarchical paths like /app/dev/, /app/prod/ to separate configurations.
Create a Parameter
Use the AWS CLI, SDK, or Console to create a parameter. Specify a unique name using a hierarchical path (e.g., /app/prod/db/url). Choose the type: String, StringList, or SecureString. For SecureString, optionally specify a KMS key ID. The default tier is Standard. If you need larger values or policies, select Advanced. The parameter value is stored encrypted at rest. After creation, the parameter is immediately available for retrieval. The service assigns a version number starting at 1, which increments on each update.
Grant IAM Permissions
Create an IAM policy that grants the necessary actions (ssm:GetParameter, ssm:PutParameter) on the parameter ARN. For SecureString, also grant kms:Decrypt on the KMS key. Attach the policy to the IAM role used by the application (e.g., EC2 instance profile, Lambda execution role). The policy can restrict access to specific paths using the Resource element. For example, to allow read access to all parameters under /app/prod/, use Resource: arn:aws:ssm:us-east-1:123456789012:parameter/app/prod/*.
Retrieve a Parameter at Runtime
The application calls the GetParameter API, specifying the parameter name and optionally WithDecryption=True for SecureString. The service validates the caller's IAM permissions. If the parameter is a SecureString and WithDecryption is true, the service decrypts the value using KMS and returns the plaintext. If WithDecryption is false, it returns the ciphertext. The application then uses the value. For performance, consider caching the parameter value and refreshing it periodically, as each API call counts toward throttling limits.
Update a Parameter
Use PutParameter with the same name and a new value. The service increments the version number. Old versions are retained and can be accessed using the :version notation (e.g., /app/prod/db/url:3). You can also label specific versions for easier reference (Advanced tier). To prevent accidental overwrites, use the --overwrite flag explicitly; without it, PutParameter will fail if the parameter exists. After update, the new value is immediately available.
Delete a Parameter
Use DeleteParameter with the parameter name. This permanently removes the parameter and all its versions. There is no soft delete; the action is irreversible. After deletion, any subsequent GetParameter calls return a ParameterNotFound error. To avoid accidental deletion, consider using IAM policies that require MFA or use AWS CloudTrail to monitor delete operations.
Enterprise Scenario 1: Centralized Database Credentials for Microservices
A large e-commerce company runs hundreds of microservices across multiple AWS accounts and regions. Each microservice needs to connect to a different database. Previously, each service had its own configuration file with hardcoded credentials, leading to security vulnerabilities and operational overhead when passwords rotated. The company implemented Parameter Store with a hierarchical structure: /ecommerce/{env}/{service}/db/{credential}. They used SecureString for passwords and granted each service's IAM role access only to its own path. For example, the order service in production could only read parameters under /ecommerce/prod/order/. Rotation was automated via a Lambda function that updated the parameter and sent an SNS notification. This reduced secret exposure and simplified credential rotation. The main challenge was throttling: with thousands of services calling GetParameter at startup, they hit the default 1,000 TPS limit. They resolved this by implementing client-side caching with a 5-minute TTL and requesting a limit increase to 5,000 TPS.
Enterprise Scenario 2: AMI Management for Auto Scaling Groups
A media streaming company uses Auto Scaling groups with custom AMIs. They need to ensure all new instances launch with the latest approved AMI. They store the AMI ID as a plaintext String parameter at /infrastructure/ami/latest. A CI/CD pipeline updates this parameter whenever a new AMI is approved. The Auto Scaling group's launch template references the parameter using a dynamic reference: {{resolve:ssm:/infrastructure/ami/latest}}. When the parameter is updated, the Auto Scaling group automatically uses the new AMI for new instances. This eliminates manual updates to launch templates and ensures consistency. The company uses the Advanced tier to set an expiration policy on the parameter, automatically deleting old AMI IDs after 90 days. A misconfiguration occurred when an engineer accidentally deleted the parameter, causing new instances to fail to launch. They recovered by restoring the parameter from a backup of the value and re-creating it. Now they use IAM policies that require MFA for deletion and enable CloudTrail alerts.
Performance and Scale Considerations
Parameter Store is designed for high availability and low latency. However, at scale, consider the following: - Throttling: Default 1,000 TPS for GetParameter. Use caching and batch retrieval (GetParameters) to reduce calls. - Parameter size: Standard tier limits values to 4 KB. If you need larger values, use Advanced (8 KB) or store data in S3 and reference the S3 URI. - Cost: Standard tier is free for parameters and API calls. Advanced tier costs $0.05 per parameter per month and $0.05 per 10,000 API calls. Monitor costs if using many Advanced parameters. - Cross-account access: Use resource-based policies or IAM roles to share parameters across accounts. For example, use a central account to store parameters and grant cross-account access via IAM.
What Goes Wrong When Misconfigured
Overly permissive IAM policies: Granting ssm:GetParameter on * allows any service to read all parameters, including secrets. Always scope to specific paths.
Hardcoded parameter names: If the parameter name changes, applications break. Use environment variables or configuration files to parameterize the name.
Missing decryption permission: For SecureString, forgetting kms:Decrypt causes GetParameter to fail when WithDecryption=true. The error message is "Access denied" or "KMS error." Ensure the IAM role has kms:Decrypt on the correct key.
Accidental deletion: Without proper IAM controls, anyone with ssm:DeleteParameter can delete critical parameters. Use least privilege and enable CloudTrail alerts.
Throttling under load: Applications that call GetParameter on every request can exceed throttling limits. Implement caching and retry logic with exponential backoff.
What SOA-C02 Tests on Parameter Store
The SOA-C02 exam covers Parameter Store primarily under Domain 3: Deployment, Objective 3.2: Manage configuration and secrets. Specific subtopics include:
- Parameter Store vs. Secrets Manager: Know the differences in features, cost, and use cases. Secrets Manager supports automatic rotation, cross-region replication, and finer-grained access policies. Parameter Store is for general configuration and simpler secrets.
- SecureString encryption: Understand that SecureString uses KMS. Default key is alias/aws/ssm. You can use a custom CMK. The exam may ask which KMS key is used if not specified.
- Parameter hierarchies: Path-based organization. The exam may test how to restrict access to a subtree using IAM policies with the parameter/ prefix.
- Parameter versions and labels: Versions are immutable. You can reference a specific version or label. Labels are only available in Advanced tier.
- Policies: Only Advanced tier supports expiration and notification policies. Standard tier does not.
- Integration with CloudFormation: Dynamic references like {{resolve:ssm:/path}} and {{resolve:ssm-secure:/path}} are used for plaintext and SecureString parameters.
- Throttling limits: Default 1,000 TPS for GetParameter. The exam may ask what happens when throttled (you get a ThrottlingException).
Common Wrong Answers and Why Candidates Choose Them
Choosing Secrets Manager when Parameter Store is sufficient: Candidates often overuse Secrets Manager because they think all secrets need rotation. The exam tests cost-consciousness: if rotation is not needed, Parameter Store is cheaper and simpler.
Assuming Parameter Store supports automatic rotation: It does not. Secrets Manager does. A common distractor is that Parameter Store can rotate secrets via Lambda triggers, but that's not native.
Forgetting that SecureString requires KMS permissions: Candidates may grant ssm:GetParameter but not kms:Decrypt, leading to access denied errors. The exam will test that you need both.
Mixing up tiers: Standard tier max size is 4 KB, Advanced is 8 KB. Standard max 10,000 parameters, Advanced 100,000. Candidates often confuse these numbers.
Assuming parameter deletion is reversible: It is not. There is no recycle bin. The exam may present a scenario where a parameter is accidentally deleted and ask how to recover (answer: restore from backup or recreate).
Specific Numbers, Values, and Terms on the Exam
Maximum parameter size: 4 KB (Standard), 8 KB (Advanced)
Maximum parameters per account per Region: 10,000 (Standard), 100,000 (Advanced)
Default KMS key for SecureString: alias/aws/ssm
Throttling limit: 1,000 TPS for GetParameter (can be increased)
CloudTrail logs all API calls
Resource ARN format: arn:aws:ssm:region:account-id:parameter/path
Dynamic reference syntax: {{resolve:ssm:/path}} and {{resolve:ssm-secure:/path}}
Edge Cases and Exceptions
Cross-account access: Parameter Store does not support resource-based policies. To share across accounts, use IAM roles and cross-account access. The exam may test this.
Parameter Store in VPC endpoints: You can use an interface VPC endpoint (aws.ssm) to access Parameter Store without going over the internet. The exam may ask about private connectivity.
Parameter Store with Lambda: Lambda execution role must have ssm:GetParameter and kms:Decrypt. The exam may test that Lambda can retrieve parameters at runtime, not at deployment time.
CloudFormation update: If a parameter referenced in a CloudFormation template is updated, the stack does not automatically update. You must perform a stack update with the new parameter value.
How to Eliminate Wrong Answers
If the scenario mentions automatic rotation, the answer is always Secrets Manager.
If the scenario mentions cost savings and rotation is not needed, choose Parameter Store.
If the question asks about parameter size > 4 KB, you need Advanced tier or store in S3.
If the question mentions parameter expiration policy, only Advanced tier supports it.
If the question involves auditing parameter access, CloudTrail is the answer.
For IAM policy resource ARN, always use arn:aws:ssm:...:parameter/... (note the parameter/ before the path).
Parameter Store is a free (Standard tier) service for storing configuration data and secrets, integrated with AWS Systems Manager.
SecureString parameters use AWS KMS for encryption; default key is alias/aws/ssm. You must have kms:Decrypt permission to retrieve plaintext.
Standard tier limits: 10,000 parameters per account per Region, max 4 KB per value. Advanced tier: 100,000 parameters, max 8 KB, supports policies.
Parameter Store does not support automatic rotation; use Secrets Manager if rotation is required.
Use hierarchical paths (e.g., /app/env/key) for organization and IAM access control.
CloudTrail logs all Parameter Store API calls for auditing.
Dynamic references in CloudFormation: {{resolve:ssm:/path}} for plaintext, {{resolve:ssm-secure:/path}} for SecureString.
Throttling limit: 1,000 TPS for GetParameter; can be increased via support request.
These come up on the exam all the time. Here's how to tell them apart.
AWS Systems Manager Parameter Store
Free for Standard tier (parameters and API calls). Advanced tier costs $0.05/parameter/month + $0.05 per 10,000 API calls.
Maximum parameter size: 4 KB (Standard), 8 KB (Advanced).
No native automatic rotation. Must use custom Lambda.
Supports parameter hierarchies and versioning.
Policies only available in Advanced tier (expiration, notification).
AWS Secrets Manager
Costs $0.40 per secret per month + $0.05 per 10,000 API calls. Additional charges for rotation.
Maximum secret size: 64 KB.
Native automatic rotation with built-in integration for RDS, Redshift, DocumentDB, and more.
Supports cross-region replication and fine-grained access policies.
No concept of tiers; all secrets support automatic rotation and policies.
Mistake
Parameter Store can automatically rotate secrets like database passwords.
Correct
Parameter Store does not have native automatic rotation. AWS Secrets Manager does. You can use a custom Lambda function to update Parameter Store, but that is not built-in.
Mistake
Parameter Store supports resource-based policies to grant cross-account access.
Correct
Parameter Store does not support resource-based policies. Cross-account access requires using IAM roles and granting the role permission to access the parameter in the source account.
Mistake
SecureString parameters are automatically decrypted when retrieved without WithDecryption flag.
Correct
If you call GetParameter without WithDecryption=True, the service returns the ciphertext. You must explicitly request decryption to get the plaintext value.
Mistake
Standard tier parameters support expiration policies.
Correct
Expiration and notification policies are only available for Advanced tier parameters. Standard tier parameters have no policy support.
Mistake
Parameter Store can store values larger than 8 KB by using a different type.
Correct
The maximum size for a parameter value is 8 KB (Advanced). For larger data, you must store it in Amazon S3 and reference the S3 URI as the parameter value.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the dynamic reference syntax: {{resolve:ssm:/parameter/path}} for plaintext parameters, and {{resolve:ssm-secure:/parameter/path}} for SecureString parameters. This can be used in resource properties. For example, in an EC2 instance's UserData, you can reference a parameter. Note that the parameter must exist before the stack is created, and the stack will not automatically update if the parameter changes.
Standard tier is free, with a maximum of 10,000 parameters per account per Region and a maximum parameter size of 4 KB. Advanced tier costs $0.05 per parameter per month and $0.05 per 10,000 API calls, supports up to 100,000 parameters per account per Region, a maximum size of 8 KB, and allows you to attach policies (expiration and notification). You cannot change a parameter from Standard to Advanced after creation; you must delete and recreate it.
Yes, but not directly. Parameter Store does not support resource-based policies. To share across accounts, you can use IAM roles. For example, create a role in the source account that grants access to the parameter, and allow the target account to assume that role. Alternatively, you can use AWS Secrets Manager for cross-account sharing, as it supports resource-based policies.
Use the GetParameter API with the parameter name appended with :version. For example, if the parameter is /myapp/db/url and you want version 3, use /myapp/db/url:3. You can also use labels (Advanced tier) to reference a version by label, e.g., /myapp/db/url:prod-release.
You receive a ThrottlingException error. The default limit is 1,000 transactions per second (TPS) for GetParameter and GetParameters API calls. You can request a limit increase through AWS Support. To avoid throttling, implement client-side caching and use batch retrieval (GetParameters) where possible.
Yes. Your Lambda function can retrieve parameters using the AWS SDK. Ensure the execution role has ssm:GetParameter (and kms:Decrypt for SecureString). You can also use the Parameter Store as a source for environment variables in Lambda, but note that the environment variable is resolved at function creation time, not at runtime. For dynamic values, use the SDK in your code.
Use the DeleteParameter API. There is no soft delete; the parameter is permanently removed. All versions and labels are deleted. After deletion, you cannot recover the parameter. To prevent accidental deletion, use IAM policies that require MFA or use CloudTrail to monitor deletes.
You've just covered SSM Parameter Store for Configuration — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?