• The Amazon Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Working with shared parameters in Parameter Store
Sharing advanced parameters simplifies configuration data management in a multi-account environment. You can centrally store and manage your parameters and share them with other Amazon Web Services accounts that need to reference them.
Parameter Store integrates with Amazon Resource Access Manager (Amazon RAM) to enable advanced parameter sharing. Amazon RAM is a service that enables you to share resources with other Amazon Web Services accounts or through Amazon Organizations.
With Amazon RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, permissions to grant, and the consumers with whom to share. Consumers can include:
+ Specific Amazon Web Services accounts inside or outside of its organization in Amazon Organizations
+ An organizational unit inside its organization in Amazon Organizations
+ Its entire organization in Amazon Organizations
For more information about Amazon RAM, see the *[Amazon RAM User Guide](https://docs.amazonaws.cn/ram/latest/userguide/)*.
This topic explains how to share parameters that you own, and how to use parameters that are shared with you.
**Topics**
+ [Prerequisites for sharing parameters](#prereqs)
+ [Sharing a parameter](#share)
+ [Stop sharing a shared parameter](#unshare)
+ [Identifying shared parameters](#identify)
+ [Accessing shared parameters](#accessing)
+ [Permissions sets for sharing parameters](#sharing-permissions)
+ [Maximum throughput for shared parameters](#throughput)
+ [Pricing for shared parameters](#pricing)
+ [Cross-account access for closed Amazon Web Services accounts](#closed-accounts)
## Prerequisites for sharing parameters
The following prerequisites must be met before you can share parameters from your account:
+ To share a parameter, you must own it in your Amazon Web Services account. You can't share a parameter that has been shared with you.
+ To share a parameter, it must be in the advanced parameter tier. For information about parameter tiers, see [Managing parameter tiers](parameter-store-advanced-parameters.md). For information about changing an existing standard parameter to an advanced parameter, see [Changing a standard parameter to an advanced parameter](parameter-store-advanced-parameters-enabling.md).
+ To share a `SecureString` parameter, it must be encrypted with a customer managed key, and you must share the key separately through Amazon Key Management Service. Amazon managed keys cannot be shared. Parameters encrypted with the default Amazon managed key can be updated to use a customer managed key instead. For Amazon KMS key definitions, see [Amazon KMS concepts](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#key-mgmt) in the *Amazon Key Management Service Developer Guide*.
+ To share a parameter with your organization or an organizational unit in Amazon Organizations, you must enable sharing with Amazon Organizations. For more information, see [Enable Sharing with Amazon Organizations](https://docs.amazonaws.cn/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *Amazon RAM User Guide*.
## Sharing a parameter
To share a parameter, you must add it to a resource share. A resource share is an Amazon RAM resource that lets you share your resources across Amazon Web Services accounts. A resource share specifies the resources to share, and the consumers with whom they are shared.
When you share a parameter that you own with other Amazon Web Services accounts, you can choose from two Amazon managed permissions to grant the consumers. For more information, see [Permissions sets for sharing parameters](#sharing-permissions).
If you are part of an organization in Amazon Organizations and sharing within your organization is enabled, you can grant consumers in your organization access from the Amazon RAM console to the shared parameter. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared parameter after accepting the invitation.
You can share a parameter that you own using the Amazon RAM console, or the Amazon CLI.
**Note**
While you can share a parameter using the Systems Manager [PutResourcePolicy](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_PutResourcePolicy.html) API operation, we recommend using Amazon Resource Access Manager (Amazon RAM) instead. This is because using `PutResourcePolicy` requires the extra step of promoting the parameter to a standard Resource Share using the Amazon RAM [PromoteResourceShareCreatedFromPolicy](https://docs.amazonaws.cn/ram/latest/APIReference/API_PromoteResourceShareCreatedFromPolicy.html) API operation. Otherwise, the parameter won't be returned by the Systems Manager [DescribeParameters](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_DescribeParameters.html) API operation using the `--shared` option.
**To share a parameter that you own using the Amazon RAM console**
See [Creating a resource share in Amazon RAM](https://docs.amazonaws.cn/ram/latest/userguide/working-with-sharing.html#working-with-sharing-create) in the *Amazon RAM User Guide*.
Make the following selections as you complete the procedure:
+ In the Step 1 page, for **Resources**, select `Parameter Store Advanced Parameter`, and then select the box of each parameter in the advanced parameter tier that you want to share.
+ In the Step 2 page, for **Managed permissions**, choose the permission to grant consumers, as described in [Permissions sets for sharing parameters](#sharing-permissions) later in this topic.
Choose other options based on your parameter sharing objectives.
**To share a parameter that you own using the Amazon CLI**
Use the [https://docs.amazonaws.cn/cli/latest/reference/ram/create-resource-share.html](https://docs.amazonaws.cn/cli/latest/reference/ram/create-resource-share.html) command to add parameters to a new resource share.
Use the [https://docs.amazonaws.cn/cli/latest/reference/ram/associate-resource-share.html](https://docs.amazonaws.cn/cli/latest/reference/ram/associate-resource-share.html) command to add parameters to an existing resource share.
The following example creates a new resource share to share parameters with consumers in an organization and in an individual account.
```
aws ram create-resource-share \
--name "MyParameter" \
--resource-arns "arn:aws:ssm:us-east-2:123456789012:parameter/MyParameter" \
--principals "arn:aws:organizations::123456789012:ou/o-63bEXAMPLE/ou-46xi-rEXAMPLE" "987654321098"
```
## Stop sharing a shared parameter
When you stop sharing a shared parameter, the consumer account can no longer access the parameter.
To stop sharing a parameter that you own, you must remove it from the resource share. You can do this using the Systems Manager console, Amazon RAM console, or the Amazon CLI.
**To stop sharing a parameter that you own using the Amazon RAM console**
See [Update a resource share in Amazon RAM](https://docs.amazonaws.cn/ram/latest/userguide/working-with-sharing-update.html) in the *Amazon RAM User Guide*.
**To stop sharing a parameter that you own using the Amazon CLI**
Use the [disassociate-resource-share](https://docs.amazonaws.cn/cli/latest/reference/ram/disassociate-resource-share.html) command.
## Identifying shared parameters
Owners and consumers can identify shared parameters using the Amazon CLI.
**To identify shared parameters using the Amazon CLI**
To identify shared parameters using the Amazon CLI, you can choose from the Systems Manager `[https://docs.amazonaws.cn/cli/latest/reference/ssm/describe-parameters.html](https://docs.amazonaws.cn/cli/latest/reference/ssm/describe-parameters.html)` command and the Amazon RAM `[list-resources](https://docs.amazonaws.cn/cli/latest/reference/ram/list-resources.html)` command.
When you use the `--shared` option with `describe-parameters`, the command returns the parameters that are shared with you.
The following is an example:
```
aws ssm describe-parameters --shared
```
## Accessing shared parameters
Consumers can access shared parameters using the Amazon command line tools, and Amazon SDKs. For consumer accounts, parameters shared with that account aren't included in the **My parameters** page.
**CLI Example: Accessing shared parameter details using the Amazon CLI**
To access shared parameter details using the Amazon CLI, you can use the [https://docs.amazonaws.cn/cli/latest/reference/ssm/get-parameter.html](https://docs.amazonaws.cn/cli/latest/reference/ssm/get-parameter.html) or [https://docs.amazonaws.cn/cli/latest/reference/ssm/get-parameters.html](https://docs.amazonaws.cn/cli/latest/reference/ssm/get-parameters.html) commands. You must specify the full parameter ARN as the `--name` in order to retrieve the parameter from another account.
The following is an example.
```
aws ssm get-parameter \
--name arn:aws:ssm:us-east-2:123456789012:parameter/MySharedParameter
```
**Supported and unsupported integrations for shared parameters**
Currently, you can use shared parameters in the following integration scenarios:
+ Amazon CloudFormation [template parameters](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html#aws-ssm-parameter-types)
+ The [Amazon Parameters and Secrets Lambda extension](ps-integration-lambda-extensions.md)
+ [Amazon Elastic Compute Cloud (EC2) launch templates](https://docs.amazonaws.cn/autoscaling/ec2/userguide/using-systems-manager-parameters.html)
+ Values for `ImageID` with the [EC2 RunInstances command](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_RunInstances.html) to create instances from an Amazon Machine Image (AMI)
+ [Retrieving parameter values in runbooks](https://repost.aws/knowledge-center/systems-manager-parameter-store) for Automation, a tool in Systems Manager
The following scenarios and integrated services do not currently support the use of shared parameters:
+ [Parameters in commands](sysman-param-runcommand.md) in Run Command, a tool in Systems Manager
+ Amazon CloudFormation [dynamic references](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/dynamic-references.html)
+ The [values of environment variables](https://docs.amazonaws.cn/codebuild/latest/userguide/build-spec-ref.html#build-spec.env.parameter-store) in Amazon CodeBuild
+ The [values of environment variables](https://docs.amazonaws.cn/apprunner/latest/dg/env-variable.html) in Amazon App Runner
+ The [value of a secret](https://docs.amazonaws.cn/AmazonECS/latest/userguide/secrets-envvar-ssm-paramstore.html) in Amazon Elastic Container Service
## Permissions sets for sharing parameters
Consumer accounts receive read-only access to the parameters you share with them. The consumer can't update or delete the parameter. The consumer can't share the parameter with a third account.
When you create a resource share in Amazon Resource Access Manager for sharing your parameters, you can choose from two Amazon managed permission sets to grant this read-only access:
**AWSRAMDefaultPermissionSSMParameterReadOnly**
Allowed actions: `DescribeParameters`, `GetParameter`, `GetParameters`
**AWSRAMPermissionSSMParameterReadOnlyWithHistory**
Allowed actions: `DescribeParameters`, `GetParameter`, `GetParameters`, `GetParameterHistory`
When you folllow the steps in [Creating a resource share in Amazon RAM](https://docs.amazonaws.cn/ram/latest/userguide/working-with-sharing.html#working-with-sharing-create) in the *Amazon RAM User Guide*, choose `Parameter Store Advanced Parameters` as the resource type and either of these managed permissions, depending on whether you want users to view parameter history or not.
**Note**
If you're retrieving shared parameters programmatically (for example, using Amazon Lambda) you might need to add the `ssm:GetResourcePolicies` and `ssm:PutResourcePolicy` permissions to any IAM roles calling Amazon Resource Access Manager API actions.
## Maximum throughput for shared parameters
Systems Manager limits the maximum throughput (transactions per second) for the [https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_GetParameter.html](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_GetParameter.html) and [https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_GetParameters.html](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_GetParameters.html). operations. Throughput is enforced at the individual account level. Therefore, each account that consumes a shared parameter can use its maximum allowed throughput without being affected by other accounts. For more information about maximum throughput for parameters, see the following topics:
+ [Increasing Parameter Store throughput](https://docs.amazonaws.cn/systems-manager/latest/userguide/parameter-store-throughput.html)
+ [Systems Manager Service quotas](https://docs.amazonaws.cn/general/latest/gr/ssm.html#limits_ssm) in the *Amazon Web Services General Reference*.
## Pricing for shared parameters
Cross-account sharing is only available in the advanced parameter tier. For advanced parameters, charges are incurred at the current price for the *storage* and *API usage* for each advanced parameter. The owning account is charged for storage of the advanced parameter. Any consuming account that makes an API call to a shared advanced parameter is charged for the parameter usage.
For example, if Account A creates an advanced parameter, `MyAdvancedParameter`, that account is charged USD 0.05 per month to store the parameter.
Account A then shares `MyAdvancedParameter` with Account B and Account C. During a month, the three accounts make calls to `MyAdvancedParameter`. The following table illustrates the charges they would incur for the number of calls each makes.
**Note**
The charges in the following table are for illustration only. To verify current pricing, see [Amazon Systems Manager Pricing for Parameter Store](https://www.amazonaws.cn/systems-manager/pricing/#Parameter_Store).
| Account | Number of calls | Charges |
| --- | --- | --- |
| Account A (owning account) | 10,000 calls | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/systems-manager/latest/userguide/parameter-store-shared-parameters.html) |
| Account B (consuming account) | 20,000 calls | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/systems-manager/latest/userguide/parameter-store-shared-parameters.html) |
| Account C (consuming account) | 30,000 calls | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/systems-manager/latest/userguide/parameter-store-shared-parameters.html) |
## Cross-account access for closed Amazon Web Services accounts
If the Amazon Web Services account that owns a shared parameter is closed, all consuming accounts lose access to the shared parameter. If the owning account is reopened within 90 days after the account is closed, consuming accounts regain access to the previously shared parameters. For more information about reopening an account during the Post-Closure Period, see [Accessing your Amazon Web Services account after you close it](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-closing.html#accessing-after-closure) in the *Amazon Account Management Reference Guide*.