Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is it possible to use Parameter Store without configuring System Manager for the instances where it's used?

I recently looked into SSM but was put off because the docs[1] suggested that you add the managed AmazonEC2RoleforSSM policy to instances, which among other things give them full read/write access to all S3 buckets. Edit: also discovered by others[2].

[1] http://docs.aws.amazon.com/systems-manager/latest/userguide/...

[2] http://www.daemonology.net/blog/2016-10-09-EC2s-most-dangero...



Yes, you can - it has a separate API with its own separate permissions. There's no need to use the full SSM to take advantage of Parameter Store.


Just revised a set of developer policies today. Most systems/users will only need a couple of permissions to leverage parameter store. And if you take the time to dig into the IAM permissions, it's quite impressive how granular you can get.

The policy I built today, for example, granted SSM:GetParameter* for parameters in the '/dev' or '/staging' path hierarchy. You won't find this fully documented at the moment, but you can separately manage encryption/decryption of secrets using conditions and kms:EncryptionContext, e.g.,

"Condition": { "StringLike: { "kms:EncryptionContext:PARAMETER_ARN": "arn:aws:ssm:<region>:<acct#>:parameter/dev*" } }

One point I will note in relation to other secret management schemes is that Parameter Store seems to use CMKs directly to encrypt parameters rather than relying on data keys and envelope encryption.


Yes using AllowReadingSSMParameters and eventually the KMS key to encrypt/decrypt the parameter


Some of Amazon's IAM examples are very permissive. Perhaps it's because of the need for brevity but a link to additional examples that are more comprehensive and secure would be great.


Works for me with instances having AmazonSSMReadOnlyAccess.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: