• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). # Setting up Parameter Store Before setting up parameters in Parameter Store, a tool in AWS Systems Manager, first configure AWS Identity and Access Management (IAM) policies that provide users in your account with permission to perform the actions you specify. This section includes information about how to manually configure these policies using the IAM console, and how to assign them to users and user groups. You can also create and assign policies to control which parameter actions can be run on a managed node. This section also includes information about how to create Amazon EventBridge rules that let you receive notifications about changes to Systems Manager parameters. You can also use EventBridge rules to invoke other actions in AWS based on changes in Parameter Store. **Topics** + [ # Restricting access to Parameter Store parameters using IAM policies ](sysman-paramstore-access.md) + [ # Managing parameter tiers ](parameter-store-advanced-parameters.md) + [ # Increasing or resetting Parameter Store throughput ](parameter-store-throughput.md) + [ # Setting up notifications or triggering actions based on Parameter Store events ](sysman-paramstore-cwe.md) # Restricting access to Parameter Store parameters using IAM policies You restrict access to AWS Systems Manager parameters by using AWS Identity and Access Management (IAM). More specifically, you create IAM policies that restrict access to the following API operations: + [DeleteParameter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DeleteParameter.html) + [DeleteParameters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DeleteParameters.html) + [DescribeParameters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeParameters.html) + [GetParameter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html) + [GetParameters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameters.html) + [GetParameterHistory](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameterHistory.html) + [GetParametersByPath](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParametersByPath.html) + [PutParameter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html) When using IAM policies to restrict access to Systems Manager parameters, we recommend that you create and use *restrictive* IAM policies. For example, the following policy allows a user to call the `DescribeParameters` and `GetParameters` API operations for a limited set of resources. This means that the user can get information about and use all parameters that begin with `prod-*`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": "arn:aws:ssm:us-east-1:111122223333:parameter/prod-*" } ] } ``` ------ **Important** If a user has access to a path, then the user can access all levels of that path. For example, if a user has permission to access path `/a`, then the user can also access `/a/b`. Even if a user has explicitly been denied access in IAM for parameter `/a/b`, they can still call the `GetParametersByPath` API operation recursively for `/a` and view `/a/b`. For trusted administrators, you can provide access to all Systems Manager parameter API operations by using a policy similar to the following example. This policy gives the user full access to all production parameters that begin with `dbserver-prod-*`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter", "ssm:DeleteParameter", "ssm:GetParameterHistory", "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter", "ssm:DeleteParameters" ], "Resource": "arn:aws:ssm:us-east-1:111122223333:parameter/dbserver-prod-*" }, { "Effect": "Allow", "Action": "ssm:DescribeParameters", "Resource": "*" } ] } ``` ------ ## Denying permissions Each API is unique and has distinct operations and permissions that you can allow or deny individually. An explicit deny in any policy overrides the allow. **Note** The default AWS Key Management Service (AWS KMS) key has `Decrypt` permission for all IAM principals within the AWS account. If you want to have different access levels to `SecureString` parameters in your account, we don't recommend that you use the default key. If you want all API operations retrieving parameter values to have the same behavior, then you can use a pattern like `GetParameter*` in a policy. The following example shows how to deny `GetParameter`, `GetParameters`, `GetParameterHistory`, and `GetParametersByPath` for all parameters beginning with `prod-*`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ssm:GetParameter*" ], "Resource": "arn:aws:ssm:us-east-1:111122223333:parameter/prod-*" } ] } ``` ------ The following example shows how to deny some commands while allowing the user to perform other commands on all parameters that begin with `prod-*`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ssm:PutParameter", "ssm:DeleteParameter", "ssm:DeleteParameters", "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParameterHistory" ], "Resource": "arn:aws:ssm:us-east-1:111122223333:parameter/prod-*" } ] } ``` ------ **Note** The parameter history includes all parameter versions, including the current one. Therefore, if a user is denied permission for `GetParameter`, `GetParameters`, and `GetParameterByPath` but is allowed permission for `GetParameterHistory`, they can see the current parameter, including `SecureString` parameters, using `GetParameterHistory`. ## Allowing only specific parameters to run on nodes You can control access so that managed nodes can run only parameters that you specify. If you choose the `SecureString` parameter type when you create your parameter, Systems Manager uses AWS KMS to encrypt the parameter value. AWS KMS encrypts the value by using either an AWS managed key or a customer managed key. For more information about AWS KMS and AWS KMS key, see the *[AWS Key Management Service Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/)*. You can view the AWS managed key by running the following command from the AWS CLI. ``` aws kms describe-key --key-id alias/aws/ssm ``` The following example allows nodes to get a parameter value only for parameters that begin with `prod-`. If the parameter is a `SecureString` parameter, then the node decrypts the string using AWS KMS. **Note** Instance policies, like in the following example, are assigned to the instance role in IAM. For more information about configuring access to Systems Manager features, including how to assign policies to users and instances, see [Managing EC2 instances with Systems Manager](systems-manager-setting-up-ec2.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:us-east-1:111122223333:parameter/prod-*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/4914ec06-e888-4ea5-a371-5b88eEXAMPLE" ] } ] } ``` ------ ## IAM permissions for using AWS default keys and customer managed keys Parameter Store `SecureString` parameters are encrypted and decrypted using AWS KMS keys. You can choose to encrypt your `SecureString` parameters using either an AWS KMS key or the default KMS key provided by AWS. When using a customer managed key, the IAM policy that grants a user access to a parameter or parameter path must provide explicit `kms:Encrypt` permissions for the key. For example, the following policy allows a user to create, update, and view `SecureString` parameters that begin with `prod-` in the specified AWS Region and AWS account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter", "ssm:GetParameter", "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:us-east-1:111122223333:parameter/prod-*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-12345EXAMPLE" ] } ] } ``` ------ **Note** The `kms:GenerateDataKey` permission is required for creating encrypted advanced parameters using the specified customer managed key. By contrast, all users within the customer account have access to the default AWS managed key. If you use this default key to encrypt `SecureString` parameters and don't want users to work with `SecureString` parameters, their IAM policies must explicitly deny access to the default key, as demonstrated in the following policy example. **Note** You can locate the Amazon Resource Name (ARN) of the default key in the AWS KMS console on the [AWS managed keys](https://console.aws.amazon.com/kms/home#/kms/defaultKeys) page. The default key is identified with `aws/ssm` in the **Alias** column. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/abcd1234-ab12-cd34-ef56-abcdeEXAMPLE" ] } ] } ``` ------ If you require fine-grained access control over the `SecureString` parameters in your account, you should use a customer managed key to protect and restrict access to these parameters. We also recommend using AWS CloudTrail to monitor `SecureString` parameter activities. For more information, see the following topics: + [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide* + [Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide* + [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) in the *AWS CloudTrail User Guide* # Managing parameter tiers Parameter Store, a tool in AWS Systems Manager, includes *standard parameters * and *advanced parameters*. You individually configure parameters to use either the standard-parameter tier (the default tier) or the advanced-parameter tier. You can change a standard parameter to an advanced parameter at any time, but you can’t revert an advanced parameter to a standard parameter. This is because reverting an advanced parameter to a standard parameter would cause the system to truncate the size of the parameter from 8 KB to 4 KB, resulting in data loss. Reverting would also remove any policies attached to the parameter. Also, advanced parameters use a different form of encryption than standard parameters. For more information, see [How AWS Systems Manager Parameter Store uses AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html) in the *AWS Key Management Service Developer Guide*. If you no longer need an advanced parameter, or if you no longer want to incur charges for an advanced parameter, delete it and recreate it as a new standard parameter. The following table describes the differences between the tiers. **** | | Standard | Advanced | | --- | --- | --- | | Total number of parameters allowed (per AWS account and AWS Region) | 10,000 | 100,000 | | Maximum size of a parameter value | 4 KB | 8 KB | | Parameter policies available | No | Yes For more information, see [Assigning parameter policies in Parameter Store](parameter-store-policies.md). | | Cost | No additional charge | Charges apply For more information, see [AWS Systems Manager Pricing for Parameter Store](https://aws.amazon.com/systems-manager/pricing/#Parameter_Store). | **Topics** + [ ## Specifying a default parameter tier ](#ps-default-tier) + [ ## Changing a standard parameter to an advanced parameter ](#parameter-store-advanced-parameters-enabling) ## Specifying a default parameter tier In requests to create or update a parameter (that is, the `[https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html)` operation), you can specify the parameter tier to use in the request. The following is an example, using the AWS Command Line Interface (AWS CLI). ------ #### [ Linux & macOS ] ``` aws ssm put-parameter \ --name "default-ami" \ --type "String" \ --value "t2.micro" \ --tier "Standard" ``` ------ #### [ Windows ] ``` aws ssm put-parameter ^ --name "default-ami" ^ --type "String" ^ --value "t2.micro" ^ --tier "Standard" ``` ------ Whenever you specify a tier in the request, Parameter Store creates or updates the parameter according to your request. However, if you don't explicitly specify a tier in a request, the Parameter Store default tier setting determines which tier the parameter is created in. The default tier when you begin using Parameter Store is the standard-parameter tier. If you use the advanced-parameter tier, you can specify one of the following as the default: + **Advanced**: With this option, Parameter Store evaluates all requests as advanced parameters. + **Intelligent-Tiering**: With this option, Parameter Store evaluates each request to determine if the parameter is standard or advanced. If the request doesn't include any options that require an advanced parameter, the parameter is created in the standard-parameter tier. If one or more options requiring an advanced parameter are included in the request, Parameter Store creates a parameter in the advanced-parameter tier. **Benefits of Intelligent-Tiering** The following are reasons you might choose Intelligent-Tiering as the default tier. **Cost control** – Intelligent-Tiering helps control your parameter-related costs by always creating standard parameters unless an advanced parameter is absolutely necessary. **Automatic upgrade to the advanced-parameter tier** – When you make a change to your code that requires upgrading a standard parameter to an advanced parameter, Intelligent-Tiering handles the conversion for you. You don't need to change your code to handle the upgrade. Here are some examples of automatic upgrades: + Your AWS CloudFormation templates provision numerous parameters when they're run. When this process causes you to reach the 10,000 parameter quota in the standard-parameter tier, Intelligent-Tiering automatically upgrades you to the advanced-parameter tier, and your CloudFormation processes aren't interrupted. + You store a certificate value in a parameter, rotate the certificate value regularly, and the content is less than the 4 KB quota of the standard-parameter tier. If a replacement certificate value exceeds 4 KB, Intelligent-Tiering automatically upgrades the parameter to the advanced-parameter tier. + You want to associate numerous existing standard parameters to a parameter policy, which requires the advanced-parameter tier. Instead of your having to include the option `--tier Advanced` in all the calls to update the parameters, Intelligent-Tiering automatically upgrades the parameters to the advanced-parameter tier. The Intelligent-Tiering option upgrades parameters from standard to advanced whenever criteria for the advanced-parameter tier are introduced. Options that require an advanced parameter include the following: + The content size of the parameter is more than 4 KB. + The parameter uses a parameter policy. + More than 10,000 parameters already exist in your AWS account in the current AWS Region. **Default Tier Options** The tier options you can specify as the default include the following. + **Standard** – The standard-parameter tier is the default tier when you begin to use Parameter Store. Using the standard-parameter tier, you can create 10,000 parameters for each AWS Region in an AWS account. The content size of each parameter can equal a maximum of 4 KB. Standard parameters don't support parameter policies. There is no additional charge to use the standard-parameter tier. Choosing **Standard** as the default tier means that Parameter Store always attempts to create a standard parameter for requests that don't specify a tier. + **Advanced** – Use the advanced-parameter tier to create a maximum of 100,000 parameters for each AWS Region in an AWS account. The content size of each parameter can equal a maximum of 8 KB. Advanced parameters support parameter policies. To share a parameter, it must be in the advanced parameter tier. There is a charge to use the advanced-parameter tier. For more information, see [AWS Systems Manager Pricing for Parameter Store](https://aws.amazon.com/systems-manager/pricing/#Parameter_Store). Choosing **Advanced** as the default tier means that Parameter Store always attempts to create an advanced parameter for requests that don't specify a tier. **Note** When you choose the advanced-parameter tier, explicitly authorize AWS to charge your account for any advanced parameters you create. + **Intelligent-Tiering **– With the Intelligent-Tiering option, Parameter Store determines whether to use the standard-parameter tier or advanced-parameter tier based on the content of the request. For example, if you run a command to create a parameter with content under 4 KB, and there are fewer than 10,000 parameters in the current AWS Region in your AWS account, and you don't specify a parameter policy, a standard parameter is created. If you run a command to create a parameter with more than 4 KB of content, you already have more than 10,000 parameters in the current AWS Region in your AWS account, or you specify a parameter policy, an advanced parameter is created. **Note** When you choose Intelligent-Tiering, explicitly authorize AWS to charge your account for any advanced parameters you created. You can change the Parameter Store default tier setting at any time. ### Configuring permissions to specify a Parameter Store default tier Verify that you have permission in AWS Identity and Access Management (IAM) to change the default parameter tier in Parameter Store by doing one of the following: + Make sure that you attach the `AdministratorAccess` policy to your IAM entity (such as user, group, or role). + Make sure that you have permission to change the default tier setting by using the following API operations: + [GetServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetServiceSetting.html) + [UpdateServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_UpdateServiceSetting.html) + [ResetServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_ResetServiceSetting.html) Grant the following permissions to the IAM entity to allow a user to view and change the default tier setting for parameters in a specific AWS Region in an AWS account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetServiceSetting" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting" ], "Resource": "arn:aws:ssm:us-east-1:111122223333:servicesetting/ssm/parameter-store/default-parameter-tier" } ] } ``` ------ Administrators can specify read-only permission by assigning the following permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetServiceSetting" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ssm:ResetServiceSetting", "ssm:UpdateServiceSetting" ], "Resource": "*" } ] } ``` ------ To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ### Specifying or changing the Parameter Store default tier using the console The following procedure shows how to use the Systems Manager console to specify or change the default parameter tier for the current AWS account and AWS Region. **Tip** If you haven't created a parameter yet, you can use the AWS Command Line Interface (AWS CLI) or AWS Tools for Windows PowerShell to change the default parameter tier. For information, see [Specifying or changing the Parameter Store default tier using the AWS CLI](#parameter-store-tier-changing-cli) and [Specifying or changing the Parameter Store default tier (PowerShell)](#parameter-store-tier-changing-ps). **To specify or change the Parameter Store default tier** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Parameter Store**. 1. Choose the **Settings** tab. 1. Choose **Change default tier**. 1. Choose one of the following options. + **Standard** + **Advanced** + **Intelligent-Tiering** For information about these options, see [Specifying a default parameter tier](#ps-default-tier). 1. Review the message, and choose **Confirm**. If you want to change the default tier setting later, repeat this procedure and specify a different default tier option. ### Specifying or changing the Parameter Store default tier using the AWS CLI The following procedure shows how to use the AWS CLI to change the default parameter tier setting for the current AWS account and AWS Region. **To specify or change the Parameter Store default tier using the AWS CLI** 1. Open the AWS CLI and run the following command to change the default parameter tier setting for a specific AWS Region in an AWS account. ``` aws ssm update-service-setting --setting-id arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/default-parameter-tier --setting-value tier-option ``` *region* represents the identifier for an AWS Region supported by AWS Systems Manager, such as `us-east-2` for the US East (Ohio) Region. For a list of supported *region* values, see the **Region** column in [Systems Manager service endpoints](https://docs.aws.amazon.com/general/latest/gr/ssm.html#ssm_region) in the *Amazon Web Services General Reference*. *tier-option* values include `Standard`, `Advanced`, and `Intelligent-Tiering`. For information about these options, see [Specifying a default parameter tier](#ps-default-tier). There is no output if the command succeeds. 1. Run the following command to view the current default parameter tier service settings for Parameter Store in the current AWS account and AWS Region. ``` aws ssm get-service-setting --setting-id arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/default-parameter-tier ``` The system returns information similar to the following. ``` { "ServiceSetting": { "SettingId": "/ssm/parameter-store/default-parameter-tier", "SettingValue": "Advanced", "LastModifiedDate": 1556551683.923, "LastModifiedUser": "arn:aws:sts::123456789012:assumed-role/Administrator/Jasper", "ARN": "arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/parameter-store/default-parameter-tier", "Status": "Customized" } } ``` If you want to change the default tier setting again, repeat this procedure and specify a different `SettingValue` option. ### Specifying or changing the Parameter Store default tier (PowerShell) The following procedure shows how to use the Tools for Windows PowerShell to change the default parameter tier setting for a specific AWS Region in an Amazon Web Services account. **To specify or change the Parameter Store default tier using PowerShell** 1. Change the Parameter Store default tier in the current AWS account and AWS Region using the AWS Tools for PowerShell (Tools for PowerShell). ``` Update-SSMServiceSetting -SettingId "arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/default-parameter-tier" -SettingValue "tier-option" -Region region ``` *region* represents the identifier for an AWS Region supported by AWS Systems Manager, such as `us-east-2` for the US East (Ohio) Region. For a list of supported *region* values, see the **Region** column in [Systems Manager service endpoints](https://docs.aws.amazon.com/general/latest/gr/ssm.html#ssm_region) in the *Amazon Web Services General Reference*. *tier-option* values include `Standard`, `Advanced`, and `Intelligent-Tiering`. For information about these options, see [Specifying a default parameter tier](#ps-default-tier). There is no output if the command succeeds. 1. Run the following command to view the current default parameter tier service settings for Parameter Store in the current AWS account and AWS Region. ``` Get-SSMServiceSetting -SettingId "arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/default-parameter-tier" -Region region ``` *region* represents the identifier for an AWS Region supported by AWS Systems Manager, such as `us-east-2` for the US East (Ohio) Region. For a list of supported *region* values, see the **Region** column in [Systems Manager service endpoints](https://docs.aws.amazon.com/general/latest/gr/ssm.html#ssm_region) in the *Amazon Web Services General Reference*. The system returns information similar to the following. ``` ARN : arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/parameter-store/default-parameter-tier LastModifiedDate : 4/29/2019 3:35:44 PM LastModifiedUser : arn:aws:sts::123456789012:assumed-role/Administrator/Jasper SettingId : /ssm/parameter-store/default-parameter-tier SettingValue : Advanced Status : Customized ``` If you want to change the default tier setting again, repeat this procedure and specify a different `SettingValue` option. ## Changing a standard parameter to an advanced parameter Use the following procedure to change an existing standard parameter to an advanced parameter. For information about how to create a new advanced parameter, see [Creating Parameter Store parameters in Systems Manager](sysman-paramstore-su-create.md). **To change a standard parameter to an advanced parameter** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Parameter Store**. 1. Choose a parameter, and then choose **Edit**. 1. For **Description**, enter information about this parameter. 1. Choose **Advanced**. 1. For **Value**, enter the value of this parameter. Advanced parameters have a maximum value limit of 8 KB. 1. Choose **Save changes**. # Increasing or resetting Parameter Store throughput Increasing Parameter Store throughput increases the maximum number of transactions per second (TPS) that Parameter Store, a tool in AWS Systems Manager, can process. Increased throughput allows you to operate Parameter Store at higher volumes to support applications and workloads that need concurrent access to multiple parameters. You can increase the quota up to the max throughput on the **Settings** tab. The Parameter Store throughput setting applies to all transactions created by all IAM users in the current AWS account and AWS Region. The throughput setting applies to standard and advanced parameters. **Note** Typically, updates are immediately visible in Service Quotas. In rare cases, it can take up to 24 hours for an update to be reflected. For more information about max throughput default and maximum limits, see [AWS Systems Manager endpoints and quotas](https://docs.aws.amazon.com//general/latest/gr/ssm.html#limits_ssm). Increasing the throughput quota incurs a charge on your AWS account. For more information, see [AWS Systems Manager Pricing](https://aws.amazon.com/systems-manager/pricing/). **Topics** + [ ## Configuring permissions to change Parameter Store throughput ](#parameter-store-throughput-permissions) + [ ## Increasing or resetting throughput using the console ](#parameter-store-throughput-increasing) + [ ## Increasing or resetting throughput using the AWS CLI ](#parameter-store-throughput-increasing-cli) + [ ## Increasing or resetting throughput (PowerShell) ](#parameter-store-throughput-increasing-ps) ## Configuring permissions to change Parameter Store throughput Verify that you have permission in IAM to change Parameter Store throughput by doing one of the following: + Make sure that the `AdministratorAccess` policy is attached to your IAM entity (user, group, or role). + Make sure that you have permission to change the throughput service setting by using the following API operations: + [GetServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetServiceSetting.html) + [UpdateServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_UpdateServiceSetting.html) + [ResetServiceSetting](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_ResetServiceSetting.html) Grant the following permissions to the IAM entity to allow a user to view and change the parameter-throughput setting for parameters in a specific AWS Region in an AWS account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetServiceSetting" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting" ], "Resource": "arn:aws:ssm:us-east-1:111122223333:servicesetting/ssm/parameter-store/high-throughput-enabled" } ] } ``` ------ Administrators can specify read-only permission by assigning the following permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetServiceSetting" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ssm:ResetServiceSetting", "ssm:UpdateServiceSetting" ], "Resource": "*" } ] } ``` ------ To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ## Increasing or resetting throughput using the console The following procedure shows how to use the Systems Manager console to increase the number of transactions per second that Parameter Store can process for the current AWS account and AWS Region. It also shows how to revert to the standard settings if you no longer need increased throughput or no longer want to incur charges. **To increase or reset Parameter Store throughput using the console** **Tip** If you haven't created a parameter yet, you can use the AWS Command Line Interface (AWS CLI) or AWS Tools for Windows PowerShell to increase throughput. For information, see [Increasing or resetting throughput using the AWS CLI](#parameter-store-throughput-increasing-cli) and [Increasing or resetting throughput (PowerShell)](#parameter-store-throughput-increasing-ps). 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Parameter Store**. 1. Choose the **Settings** tab. 1. To increase throughput, choose **Set limit**. -or- To revert to the default limit, choose **Reset limit**. 1. If you are increasing the limit, do the following: + Select the check box for **I accept that changing this setting incurs charges on my AWS account**. + Choose **Set limit**. -or- If you are resetting the limit to the default, do the following: + Select the check box for **I accept that resetting to the default throughput limit causes Parameter Store to process fewer transactions per second**. + Choose **Reset limit**. ## Increasing or resetting throughput using the AWS CLI The following procedure shows how to use the AWS CLI to increase the number of transactions per second that Parameter Store can process for the current AWS account and AWS Region. You can also revert to the default limit. **To increase Parameter Store throughput using the AWS CLI** 1. Open the AWS CLI and run the following command to increase the transactions per second that Parameter Store can process in the current AWS account and AWS Region. ``` aws ssm update-service-setting --setting-id arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/high-throughput-enabled --setting-value true ``` There is no output if the command succeeds. 1. Run the following command to view the current throughput service settings for Parameter Store in the current AWS account and AWS Region. ``` aws ssm get-service-setting --setting-id arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/high-throughput-enabled ``` The system returns information similar to the following: ``` { "ServiceSetting": { "SettingId": "/ssm/parameter-store/high-throughput-enabled", "SettingValue": "true", "LastModifiedDate": 1556551683.923, "LastModifiedUser": "arn:aws:sts::123456789012:assumed-role/Administrator/Jasper", "ARN": "arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/parameter-store/high-throughput-enabled", "Status": "Customized" } } ``` If you no longer need increased throughput, or if you no longer want to incur charges, you can revert to the standard settings. To revert your settings, run the following command. ``` aws ssm reset-service-setting --setting-id arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/high-throughput-enabled ``` ``` { "ServiceSetting": { "SettingId": "/ssm/parameter-store/high-throughput-enabled", "SettingValue": "false", "LastModifiedDate": 1555532818.578, "LastModifiedUser": "System", "ARN": "arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/parameter-store/high-throughput-enabled", "Status": "Default" } } ``` ## Increasing or resetting throughput (PowerShell) The following procedure shows how to use the Tools for Windows PowerShell to increase the number of transactions per second that Parameter Store can process for the current AWS account and AWS Region. You can also revert to the default limit. **To increase Parameter Store throughput using PowerShell** 1. Increase Parameter Store throughput in the current AWS account and AWS Region using the AWS Tools for PowerShell (Tools for PowerShell). ``` Update-SSMServiceSetting -SettingId "arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/high-throughput-enabled" -SettingValue "true" -Region region ``` There is no output if the command succeeds. 1. Run the following command to view the current throughput service settings for Parameter Store in the current AWS account and AWS Region. ``` Get-SSMServiceSetting -SettingId "arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/high-throughput-enabled" -Region region ``` The systems returns information similar to the following: ``` ARN : arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/parameter-store/high-throughput-enabled LastModifiedDate : 4/29/2019 3:35:44 PM LastModifiedUser : arn:aws:sts::123456789012:assumed-role/Administrator/Jasper SettingId : /ssm/parameter-store/high-throughput-enabled SettingValue : true Status : Customized ``` If you no longer need increased throughput, or if you no longer want to incur charges, you can revert to the standard settings. To revert your settings, run the following command. ``` Reset-SSMServiceSetting -SettingId "arn:aws:ssm:region:account-id:servicesetting/ssm/parameter-store/high-throughput-enabled" -Region region ``` The system returns information similar to the following: ``` ARN : arn:aws:ssm:us-east-2:123456789012:servicesetting/ssm/parameter-store/high-throughput-enabled LastModifiedDate : 4/17/2019 8:26:58 PM LastModifiedUser : System SettingId : /ssm/parameter-store/high-throughput-enabled SettingValue : false Status : Default ``` # Setting up notifications or triggering actions based on Parameter Store events Setting up notifications or triggering actions based on Parameter Store events The topics in this section explain how to use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to notify you about changes to AWS Systems Manager parameters. You can create an EventBridge rule to notify you when a parameter or a parameter label version is created, updated, or deleted. Events are emitted on a best effort basis. You can be notified about changes or status related to parameter policies, such as when a parameter expires, is going to expire, or hasn't changed for a specified period of time. **Note** Parameter policies are available for parameters that use the advanced parameters tier. Charges apply. For more information, see [Assigning parameter policies in Parameter Store](parameter-store-policies.md) and [Managing parameter tiers](parameter-store-advanced-parameters.md). The topics in this section also explain how to initiate other actions on a target for specific parameter events. For example, you can run an AWS Lambda function to recreate a parameter automatically when it expires or is deleted. You can set up a notification to invoke a Lambda function when your database password is updated. The Lambda function can force your database connections to reset or reconnect with the new password. EventBridge also supports running Run Command commands and Automation executions, and actions in many other AWS services. Run Command and Automation are both tools in AWS Systems Manager. For more information, see the *[Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/)*. **Before You Begin** Create any resources you need to specify the target action for the rule you create. For example, if the rule you create is for sending a notification, first create an Amazon SNS topic. For more information, see [Getting started with Amazon SNS](https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.htmlGettingStarted.html) in the *Amazon Simple Notification Service Developer Guide*. ## Configuring EventBridge rules for parameters and parameter policies This topic explains the following: + How to create an EventBridge rule that invokes a target based on events that happen to one or more parameters in your AWS account. + How to create EventBridge rules that invoke targets based on events that happen to one or more parameter policies in your AWS account. When you create an advanced parameter, you specify when a parameter expires, when to receive notification before a parameter expires, and how long to wait before notification should be sent that a parameter hasn't changed. You set up notification for these events using the following procedure. For more information, see [Assigning parameter policies in Parameter Store](parameter-store-policies.md) and [Managing parameter tiers](parameter-store-advanced-parameters.md). **To configure an EventBridge rule for a Systems Manager parameter or parameter policy** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. In the navigation pane, choose **Rules**, and then choose **Create rule**. -or- If the EventBridge home page opens first, choose **Create rule**. 1. Enter a name and description for the rule. A rule can't have the same name as another rule in the same Region and on the same event bus. 1. For **Event bus**, choose the event bus that you want to associate with this rule. If you want this rule to initiate on matching events that come from your own AWS account, select **default **. When an AWS service in your account emits an event, it always goes to your account’s default event bus. 1. For **Rule type**, leave the default **Rule with an event pattern** selected. 1. Choose **Next**. 1. For **Event source**, leave the default **AWS events or EventBridge partner events** selected. You can skip the **Sample event** section. 1. For **Event pattern**, do the following: + Choose **Custom patterns (JSON editor)**. + For **Event pattern**, paste one of the following content in the box, depending on whether you are creating a rule for a parameter or a parameter policy: ------ #### [ Parameter ] ``` { "source": [ "aws.ssm" ], "detail-type": [ "Parameter Store Change" ], "detail": { "name": [ "parameter-1-name", "/parameter-2-name/level-2", "/parameter-3-name/level-2/level-3" ], "operation": [ "Create", "Update", "Delete", "LabelParameterVersion" ] } } ``` ------ #### [ Parameter policy ] ``` { "source": [ "aws.ssm" ], "detail-type": [ "Parameter Store Policy Action" ], "detail": { "parameter-name": [ "parameter-1-name", "/parameter-2-name/level-2", "/parameter-3-name/level-2/level-3" ], "policy-type": [ "Expiration", "ExpirationNotification", "NoChangeNotification" ] } } ``` ------ + Modify the contents for the parameters and the operations you want to act on, as shown in the following samples. ------ #### [ Parameter ] With this example, an action is taken when either of the parameters named /`Oncall` and `/Project/Teamlead` are updated: ``` { "source": [ "aws.ssm" ], "detail-type": [ "Parameter Store Change" ], "detail": { "name": [ "/Oncall", "/Project/Teamlead" ], "operation": [ "Update" ] } } ``` ------ #### [ Parameter policy ] With this example, an action is taken whenever the parameter named /`OncallDuties` expires and is deleted: ``` { "source": [ "aws.ssm" ], "detail-type": [ "Parameter Store Policy Action" ], "detail": { "parameter-name": [ "/OncallDuties" ], "policy-type": [ "Expiration" ] } } ``` ------ 1. Choose **Next**. 1. For **Target 1**, choose a target type and a supported resource. For example, if you choose **SNS topic**, make a selection for **Topic**. If you choose **CodePipeline**, enter a pipeline ARN for **Pipeline ARN**. Provide additional configuration values as required. **Tip** Choose **Add another target** if you require additional targets for the rule. 1. Choose **Next**. 1. (Optional) Enter one or more tags for the rule. For more information, see [Amazon EventBridge tags](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-tagging.html) in the *Amazon EventBridge User Guide*. 1. Choose **Next**. 1. Choose **Create rule**. **More info** + [Use parameter labels for easy configuration update across environments](https://aws.amazon.com/blogs/mt/use-parameter-labels-for-easy-configuration-update-across-environments/) + [Tutorial: Use EventBridge to relay events to AWS Systems Manager  Run Command](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-ec2-run-command.html) in the *Amazon EventBridge User Guide* + [Tutorial: Set AWS Systems Manager Automation as an EventBridge target](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-ssm-automation-as-target.html) in the *Amazon EventBridge User Guide*