Using policy conditions to control access to Parameter Store API operations
Using service-specific conditions supported by Systems Manager for Amazon Identity and Access Management (IAM) policies, you can explicity allow or deny access to Parameter Store API operations and content. By using these conditions, you can allow only certain IAM Entities (users and roles) in your organization to call certain API actions, or prevent certain IAM Entities from running them. This includes actions run through the Parameter Store console, the Amazon Command Line Interface (Amazon CLI), and SDKs.
Systems Manager currently supports two conditions that are specific to Parameter Store.
Topics
ssm:Overwrite
: Control
changes to existing parameters
Use the ssm:Overwrite
condition to control whether IAM Entities
can update existing parameters.
In the following sample policy, the "Allow" statement grants permission to
create parameters by running the PutParameter
API operation in the
Amazon Web Services account 123456789012 in the US East (Ohio) Region (us-east-2).
After this, the "Deny" statement prevents Entities from changing values of
existing parameters because the
Overwrite
option is explicitly denied for the
PutParameter
operation. Therefore, Entities that are assigned
this policy can create parameters, but not make changes to existing
parameters.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter/*" }, { "Effect": "Deny", "Action": [ "ssm:PutParameter" ], "Condition": { "StringEquals": { "ssm:Overwrite": [ "true" ] } }, "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter/*" } ] }
ssm:Recursive
: Control access
to levels in a hierarchical parameter
Use the ssm:Recursive
condition to control whether IAM Entities
can view or reference levels in a hierarchical parameter. You can provide or
restrict access to all parameters beyond a specific level of a hierarchy.
In the following example policy, the "Allow" statement provides access to
Parameter Store operations on all parameters in the path
/Code/Departments/Finance/*
for the Amazon Web Services account
123456789012 in the US East (Ohio) Region (us-east-2).
After this, the "Deny" statement prevents IAM Entities from viewing or
retrieving parameter data at or below the level of
/Code/Departments/*
. Entities can still, however, still
create or update parameters in that path. The example has been constructed to
illustrate that recursively denying access below a certain level in a parameter
hierarchy takes precedence over more permissive access in the same
policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:*" ], "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter
/*
" }, { "Effect": "Deny", "Action": [ "ssm:GetParametersByPath" ], "Condition": { "StringEquals": { "ssm:Recursive": [ "true" ] } }, "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter/Code/Departments/*" } ] }
Important
If a user has access to a path, then the user can access all levels of
that path. For example, if a user has permission to access path
/a
, then the user can also access
/a/b
. This is true unless the user has explicitly
been denied access in IAM for parameter /b
, as
illustrated above.