• The Amazon Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). 

# Amazon Systems Manager Parameter Store
<a name="systems-manager-parameter-store"></a>

Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter. To get started with Parameter Store, open the [Systems Manager console](https://console.amazonaws.cn//systems-manager/parameters). In the navigation pane, choose **Parameter Store**.

Parameter Store is also integrated with Secrets Manager. You can retrieve Secrets Manager secrets when using other Amazon Web Services services that already support references to Parameter Store parameters. For more information, see [Referencing Amazon Secrets Manager secrets from Parameter Store parameters](integration-ps-secretsmanager.md).

**Note**  
To implement password rotation lifecycles, use Amazon Secrets Manager. You can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle using Secrets Manager. For more information, see [What is Amazon Secrets Manager?](https://docs.amazonaws.cn//secretsmanager/latest/userguide/intro.html) in the *Amazon Secrets Manager User Guide*.

## How can Parameter Store benefit my organization?
<a name="parameter-store-benefits"></a>

Parameter Store offers these benefits:
+ Use a secure, scalable, hosted secrets management service with no servers to manage.
+ Improve your security posture by separating your data from your code.
+ Store configuration data and encrypted strings in hierarchies and track versions.
+ Control and audit access at granular levels.
+ Store parameters reliably because Parameter Store is hosted in multiple Availability Zones in an Amazon Web Services Region.

## Who should use Parameter Store?
<a name="parameter-store-who"></a>
+ Any Amazon customer who wants to have a centralized way to manage configuration data.
+ Software developers who want to store different logins and reference streams.
+ Administrators who want to receive notifications when their secrets and passwords are or aren't changed.

## What are the features of Parameter Store?
<a name="parameter-store-features"></a>
+ **Change notification**

  You can configure change notifications and invoke automated actions for both parameters and parameter policies. For more information, see [Setting up notifications or triggering actions based on Parameter Store events](sysman-paramstore-cwe.md).
+ **Organize parameters**

  You can tag your parameters individually to help you identify one or more parameters based on the tags you've assigned to them. For example, you can tag parameters for specific environments or departments. 
+ **Label versions**

  You can associate an alias for versions of your parameter by creating labels. Labels can help you remember the purpose of a parameter version when there are multiple versions. 
+ **Data validation**

  You can create parameters that point to an Amazon Elastic Compute Cloud (Amazon EC2) instance and Parameter Store validates these parameters to make sure that it references expected resource type, that the resource exists, and that the customer has permission to use the resource. For example, you can create a parameter with Amazon Machine Image (AMI) ID as a value with `aws:ec2:image` data type, and Parameter Store performs an asynchronous validation operation to make sure that the parameter value meets the formatting requirements for an AMI ID, and that the specified AMI is available in your Amazon Web Services account. 
+ **Reference secrets**

  Parameter Store is integrated with Amazon Secrets Manager so that you can retrieve Secrets Manager secrets when using other Amazon Web Services services that already support references to Parameter Store parameters. 
+ **Share parameters with other accounts**

  You can optionally centralize configuration data in a single Amazon Web Services account and share parameters with other accounts that need to access them.
+ **Accessible from other Amazon Web Services services**

  You can use Parameter Store parameters with other Systems Manager tools and Amazon Web Services services to retrieve secrets and configuration data from a central store. Parameters work with Systems Manager tools such as Run Command, Automation, and State Manager, tools in Amazon Systems Manager. You can also reference parameters in a number of other Amazon Web Services services, including the following:
  + Amazon Elastic Compute Cloud (Amazon EC2)
  + Amazon Elastic Container Service (Amazon ECS)
  + Amazon Secrets Manager
  + Amazon Lambda
  + Amazon CloudFormation
  + Amazon CodeBuild
  + Amazon CodePipeline
  + Amazon CodeDeploy
+ **Integrate with other Amazon Web Services services**

  Configure integration with the following Amazon Web Services services for encryption, notification, monitoring, and auditing:
  + Amazon Key Management Service (Amazon KMS)
  + Amazon Simple Notification Service (Amazon SNS)
  + Amazon CloudWatch: For more information, see [Configuring EventBridge rules for parameters and parameter policies](sysman-paramstore-cwe.md#cwe-parameter-changes). 
  + Amazon EventBridge: For more information, see [Monitoring Systems Manager status changes using Amazon SNS notifications](monitoring-sns-notifications.md) and [Reference: Amazon EventBridge event patterns and types for Systems Manager](reference-eventbridge-events.md). 
  + Amazon CloudTrail: For more information, see [Logging Amazon Systems Manager API calls with Amazon CloudTrail](monitoring-cloudtrail-logs.md).

## What is a parameter?
<a name="what-is-a-parameter"></a>

A Parameter Store parameter is any piece of data that is saved in Parameter Store, such as a block of text, a list of names, a password, an AMI ID, a license key, and so on. You can centrally and securely reference this data in your scripts, commands, and SSM documents.

When you reference a parameter, you specify the parameter name by using the following convention.

\$1\$1`ssm:parameter-name`\$1\$1

**Note**  
Parameters can't be referenced or nested in the values of other parameters. You can't include `{{}}` or `{{ssm:parameter-name}}` in a parameter value.

Parameter Store provides support for three types of parameters: `String`, `StringList`, and `SecureString`. 

With one exception, when you create or update a parameter, you enter the parameter value as plaintext, and Parameter Store performs no validation on the text you enter. For `String` parameters, however, you can specify the data type as `aws:ec2:image`, and Parameter Store validates that the value you enter is the proper format for an Amazon EC2 AMI; for example: `ami-12345abcdeEXAMPLE`.

### Parameter type: String
<a name="parameter-type-string"></a>

By default, the value of a `String` parameter consists of any block of text you enter. For example:
+ `abc123`
+ `Example Corp`
+ `<img src="images/bannerImage1.png"/>`

### Parameter type: StringList
<a name="parameter-type-stringlist"></a>

The values of `StringList` parameters contain a comma-separated list of values, as shown in the following examples.

`Monday,Wednesday,Friday`

`CSV,TSV,CLF,ELF,JSON`

### Parameter type: SecureString
<a name="parameter-type-securestring"></a>

The value of a `SecureString` parameter is any sensitive data that needs to be stored and referenced in a secure manner. If you have data that you don't want users to alter or reference in plaintext, such as passwords or license keys, create those parameters using the `SecureString` data type.

**Important**  
Don't store sensitive data in a `String` or `StringList` parameter. For all sensitive data that must remain encrypted, use only the `SecureString` parameter type.  
For more information, see [Creating a SecureString parameter using the Amazon CLI](param-create-cli.md#param-create-cli-securestring).

We recommend using `SecureString` parameters for the following scenarios:
+ You want to use data/parameters across Amazon Web Services services without exposing the values as plaintext in commands, functions, agent logs, or CloudTrail logs.
+ You want to control who has access to sensitive data.
+ You want to be able to audit when sensitive data is accessed (CloudTrail).
+ You want to encrypt your sensitive data, and you want to bring your own encryption keys to manage access.

**Important**  
Only the *value* of a `SecureString` parameter is encrypted. Parameter names, descriptions, and other properties aren't encrypted.

You can use the `SecureString` parameter type for textual data that you want to encrypt, such as passwords, application secrets, confidential configuration data, or any other types of data that you want to protect. `SecureString` data is encrypted and decrypted using an Amazon KMS key. You can use either a default KMS key provided by Amazon or create and use your own Amazon KMS key. (Use your own Amazon KMS key if you want to restrict user access to `SecureString` parameters. For more information, see [IAM permissions for using Amazon default keys and customer managed keys](sysman-paramstore-access.md#ps-kms-permissions).)

You can also use `SecureString` parameters with other Amazon Web Services services. In the following example, the Lambda function retrieves a `SecureString` parameter by using the [GetParameters](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_GetParameters.html) API.

```
import json
import boto3
ssm = boto3.client('ssm', 'us-east-2')
def get_parameters():
    response = ssm.get_parameters(
        Names=['LambdaSecureString'],WithDecryption=True
    )
    for parameter in response['Parameters']:
        return parameter['Value']
        
def lambda_handler(event, context):
    value = get_parameters()
    print("value1 = " + value)
    return value  # Echo back the first key value
```

**Amazon KMS encryption and pricing**  
If you choose the `SecureString` parameter type when you create your parameter, Systems Manager uses Amazon KMS to encrypt the parameter value.

**Important**  
Parameter Store only supports [symmetric encryption KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/symm-asymm-choose-key-spec.html#symmetric-cmks). You can't use an [asymmetric encryption KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/symmetric-asymmetric.html) to encrypt your parameters. For help determining whether a KMS key is symmetric or asymmetric, see [Identifying symmetric and asymmetric KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/find-symm-asymm.html) in the *Amazon Key Management Service Developer Guide*

There is no charge from Parameter Store to create a `SecureString` parameter, but charges for use of Amazon KMS encryption do apply. For information, see [Amazon Key Management Service pricing](https://www.amazonaws.cn/kms/pricing).

For more information about Amazon managed keys and customer managed keys, see [Amazon Key Management Service Concepts](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html) in the *Amazon Key Management Service Developer Guide*. For more information about Parameter Store and Amazon KMS encryption, see [How Amazon Systems Manager Parameter Store Uses Amazon KMS](https://docs.amazonaws.cn/kms/latest/developerguide/services-parameter-store.html).

**Note**  
To view an Amazon managed key, use the Amazon KMS `DescribeKey` operation. This Amazon Command Line Interface (Amazon CLI) example uses `DescribeKey` to view an Amazon managed key.  

```
aws kms describe-key --key-id alias/aws/ssm
```

**More info**  
+ [Creating a SecureString parameter in Parameter Store and joining a node to a Domain (PowerShell)](sysman-param-securestring-walkthrough.md)
+ [Use Parameter Store to Securely Access Secrets and Config Data in CodeDeploy](https://amazonaws-china.com/blogs/mt/use-parameter-store-to-securely-access-secrets-and-config-data-in-aws-codedeploy/)
+ [Interesting Articles on Amazon EC2 Systems Manager Parameter Store](https://amazonaws-china.com/blogs/mt/interesting-articles-on-ec2-systems-manager-parameter-store/)

## Parameter size limits
<a name="parameter-size-limits"></a>

Parameter Store has different size limits for parameter values depending on the parameter tier you use:
+ **Standard parameters**: Maximum value size of 4 KB
+ **Advanced parameters**: Maximum value size of 8 KB

If you need to store parameter values larger than 4 KB, you must use the advanced parameter tier. Advanced parameters provide additional capabilities but incur charges on your Amazon account. For more information about parameter tiers and their features, see [Managing parameter tiers](parameter-store-advanced-parameters.md).

For a complete list of Parameter Store quotas and limits, see [Amazon Systems Manager endpoints and quotas](https://docs.amazonaws.cn/general/latest/gr/ssm.html#parameter-store) in the *Amazon General Reference*.