Get started with SSM Parameter Store in AWS CloudFormation

Photo by Sajad Nori on Unsplash

Get started with SSM Parameter Store in AWS CloudFormation

The AWS Systems Manager Parameter Store (SSM Parameter Store) is a service provided by Amazon Web Services (AWS) that helps manage configuration data, secrets, and other information for your applications and systems. It offers a secure and centralized location to store and access this sensitive data, making it easier to manage and control access to it.

SSM Parameter Store allows you to store key-value pairs, with the keys being unique identifiers for the data you want to store. These values can include simple text strings, such as configuration settings or API keys, or even encrypted secrets like database passwords.

Key features of the SSM Parameter Store include:

  1. Hierarchical Structure: Parameters can be organized hierarchically using a forward slash ("/") separator, allowing you to group related parameters and manage them more effectively.

  2. Parameter Types: SSM Parameter Store supports several parameter types, such as String, StringList, and SecureString. The SecureString type allows you to store sensitive data in an encrypted format.

  3. Versioning and History: SSM Parameter Store maintains a history of parameter changes, so you can track modifications and roll back to previous versions if needed.

  4. Integration with AWS Services: Parameter values from SSM Parameter Store can be referenced directly in other AWS services, such as AWS Lambda, EC2 instances, and CodeBuild, making it easier to use the stored values in your applications.

  5. Secure Access Control: AWS Identity and Access Management (IAM) can be used to control who can access and manage the parameters, ensuring secure handling of sensitive data.

  6. Parameter Policies: Parameter policies can be applied to control access to specific parameters, enabling fine-grained permissions management.

Overall, SSM Parameter Store is a useful tool for securely managing configuration and sensitive data in your AWS environment, providing a centralized solution that can be easily integrated into various applications and services.

Hands-On Lab

In this Lab, we will create EC2 instance via AWS CloudFormation with two parameters specified: InstanceType and ImageID.

  1. The CloudFormation template for creating EC2 instance with two parameters specified:

         Description: SSM Parameter for Demo EC2 server
         Type: String
         Default: /ec2/instanceType
         Description: SSM Parameter name for the AMI Image ID
         Type: String
         Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
         Type: AWS::EC2::Instance
           InstanceType: '{{resolve:ssm:/ec2/instanceType:1}}'
           ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2:1}}'

    The ${resolve:ssm} syntax is a CloudFormation dynamic reference to the Systems Manager Parameter Store. It fetches the actual parameter values during stack creation or update. The :1 at the end specifies the version of the SSM parameter that you want to fetch. In this case, it fetches the latest version of the parameter.

  2. Before creating CloudFormation Stack we first need to create parameters in AWS Systems Manager SSM Parameter Store. To create SSM parameters we can use the following AWS CLI commands:

     aws ssm put-parameter --name "/ec2/instanceType" \
       --description "SSM Parameter Demo EC2 server" \
       --type "String" \
       --value "t2.micro"

    The SSM parameter for ImageId is a public parameter managed by AWS:

  3. To deploy your CloudFormation stack use the following command:

     aws cloudformation create-stack --stack-name SSMParamaterDemo \
       --template-body file://path/to/your/template.yaml
  4. After stack deployment you can verify that initial stack template was deployed with EC2 t2.micro instance type:


  1. AWS::SSM::Parameter

  2. AWS Systems Manager Parameter Store

  3. Retrieving Amazon ECS-Optimized AMI metadata