AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2026-05-10 · Documentation low

File: systems-manager/latest/userguide/systems-manager-parameter-store.md

Summary

Comprehensive restructuring of Parameter Store documentation including rewritten introduction, clarified use cases, expanded feature descriptions, added parameter tiers section, performance guidance, and retrieval methods.

Security assessment

Changes focus on general documentation improvements, use case clarifications, and feature enhancements without addressing specific vulnerabilities. Security mentions (like SecureString parameters) are existing features being relocated, not new security content or vulnerability fixes.

Diff

diff --git a/systems-manager/latest/userguide/systems-manager-parameter-store.md b/systems-manager/latest/userguide/systems-manager-parameter-store.md
index 91319d1d4..838c69ee0 100644
--- a//systems-manager/latest/userguide/systems-manager-parameter-store.md
+++ b//systems-manager/latest/userguide/systems-manager-parameter-store.md
@@ -7 +7 @@
-How can Parameter Store benefit my organization?Who should use Parameter Store?What are the features of Parameter Store?What is a parameter?Parameter size limits
+Parameter Store featuresParameter tiersPerformance and throughputHow to retrieve parameters
@@ -11 +11 @@ How can Parameter Store benefit my organization?Who should use Parameter Store?W
-Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter. To get started with Parameter Store, open the [Systems Manager console](https://console.aws.amazon.com//systems-manager/parameters). In the navigation pane, choose **Parameter Store**.
+Parameter Store enables you to securely store, organize, and retrieve configuration simple configuration data at scale. It is designed to simplify configuration management across environments, allowing teams to standardize how applications access critical data without hardcoding values or relying on fragmented storage solutions.
@@ -13 +13 @@ Parameter Store provides secure, hierarchical storage for configuration data man
-Parameter Store is also integrated with Secrets Manager. You can retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters. For more information, see [Referencing AWS Secrets Manager secrets from Parameter Store parameters](./integration-ps-secretsmanager.html).
+Beyond simple storage, Parameter Store provides versioning, access control through AWS Identity and Access Management (IAM), and seamless integration with other AWS services such as Amazon EC2, Lambda, and CloudFormation. This enables dynamic configuration updates without requiring code changes or redeployments, improving operational agility and reducing risk. With features like hierarchical naming, parameter policies, and change tracking, Parameter Store helps teams maintain consistency, enforce governance, and build more secure and maintainable systems.
@@ -15,11 +15 @@ Parameter Store is also integrated with Secrets Manager. You can retrieve Secret
-###### Note
-
-To implement password rotation lifecycles, use AWS Secrets Manager. You can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle using Secrets Manager. For more information, see [What is AWS Secrets Manager?](https://docs.aws.amazon.com//secretsmanager/latest/userguide/intro.html) in the _AWS Secrets Manager User Guide_.
-
-## How can Parameter Store benefit my organization?
-
-Parameter Store offers these benefits:
-
-  * Use a secure, scalable, hosted secrets management service with no servers to manage.
-
-  * Improve your security posture by separating your data from your code.
+Parameter Store supports `String`, `StringList`, and `SecureString` parameter types. `String` and `StringList` parameter values are stored as plain text. `SecureString` parameters encrypt values using AWS Key Management Service, making them a practical choice for lightweight encrypted configuration values that don't require rotation or other advanced secret lifecycle capabilities. For more information about parameter types, see [Understanding parameter types](./what-is-a-parameter.html)
@@ -27 +17 @@ Parameter Store offers these benefits:
-  * Store configuration data and encrypted strings in hierarchies and track versions.
+###### Note
@@ -29 +19 @@ Parameter Store offers these benefits:
-  * Control and audit access at granular levels.
+If you manage credentials that require automatic rotation, cross-account access, or fine-grained audit logging, we recommend using [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). Secrets Manager is purpose-built for managing secrets such as database credentials, API keys, and supported third-party software-vended secrets. For more information, see [What is AWS Secrets Manager?](https://docs.aws.amazon.com//secretsmanager/latest/userguide/intro.html) in the _AWS Secrets Manager User Guide_.
@@ -31 +21 @@ Parameter Store offers these benefits:
-  * Store parameters reliably because Parameter Store is hosted in multiple Availability Zones in an AWS Region.
+Here are some examples of the types of configuration data you can store and manage in Parameter Store:
@@ -32,0 +23 @@ Parameter Store offers these benefits:
+  * **Database connection strings (non-rotating)** – jdbc:mysql://host:3306/appdb
@@ -33,0 +25 @@ Parameter Store offers these benefits:
+  * **Application environment variables** – ENV=production, LOG_LEVEL=debug
@@ -34,0 +27 @@ Parameter Store offers these benefits:
+  * **Service endpoint URLs** – internal microservice endpoints or third-party base URLs
@@ -36 +29 @@ Parameter Store offers these benefits:
-## Who should use Parameter Store?
+  * **Resource identifiers** – S3 bucket names, DynamoDB table names, ARNs
@@ -38 +31 @@ Parameter Store offers these benefits:
-  * Any AWS customer who wants to have a centralized way to manage configuration data.
+  * **Application tuning parameters** – cache TTLs, batch sizes, polling intervals
@@ -40 +32,0 @@ Parameter Store offers these benefits:
-  * Software developers who want to store different logins and reference streams.
@@ -42 +33,0 @@ Parameter Store offers these benefits:
-  * Administrators who want to receive notifications when their secrets and passwords are or aren't changed.
@@ -44,0 +36 @@ Parameter Store offers these benefits:
+###### Note
@@ -45,0 +38 @@ Parameter Store offers these benefits:
+We _don't_ recommend using Parameter Store for the following types of configuration data:
@@ -47 +40 @@ Parameter Store offers these benefits:
-## What are the features of Parameter Store?
+  * Feature flags
@@ -49 +42 @@ Parameter Store offers these benefits:
-  * **Change notification**
+  * Operational levers like timeouts
@@ -51 +44 @@ Parameter Store offers these benefits:
-You can configure change notifications and invoke automated actions for both parameters and parameter policies. For more information, see [Setting up notifications or triggering actions based on Parameter Store events](./sysman-paramstore-cwe.html).
+  * Allow lists and block lists
@@ -53 +46 @@ You can configure change notifications and invoke automated actions for both par
-  * **Organize parameters**
+  * Circuit breakers
@@ -55 +48 @@ You can configure change notifications and invoke automated actions for both par
-You can tag your parameters individually to help you identify one or more parameters based on the tags you've assigned to them. For example, you can tag parameters for specific environments or departments. 
+  * Dynamic configurations
@@ -57 +49,0 @@ You can tag your parameters individually to help you identify one or more parame
-  * **Label versions**
@@ -59 +50,0 @@ You can tag your parameters individually to help you identify one or more parame
-You can associate an alias for versions of your parameter by creating labels. Labels can help you remember the purpose of a parameter version when there are multiple versions. 
@@ -61 +51,0 @@ You can associate an alias for versions of your parameter by creating labels. La
-  * **Data validation**
@@ -63 +53 @@ You can associate an alias for versions of your parameter by creating labels. La
-You can create parameters that point to an Amazon Elastic Compute Cloud (Amazon EC2) instance and Parameter Store validates these parameters to make sure that it references expected resource type, that the resource exists, and that the customer has permission to use the resource. For example, you can create a parameter with Amazon Machine Image (AMI) ID as a value with `aws:ec2:image` data type, and Parameter Store performs an asynchronous validation operation to make sure that the parameter value meets the formatting requirements for an AMI ID, and that the specified AMI is available in your AWS account. 
+For these types of configuration data, use AWS AppConfig. For more information, see [What is AWS AppConfig?](https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html).
@@ -65 +55 @@ You can create parameters that point to an Amazon Elastic Compute Cloud (Amazon
-  * **Reference secrets**
+## Parameter Store features
@@ -67 +57 @@ You can create parameters that point to an Amazon Elastic Compute Cloud (Amazon
-Parameter Store is integrated with AWS Secrets Manager so that you can retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters. 
+Parameter Store includes the following features for managing parameters:
@@ -71,29 +61 @@ Parameter Store is integrated with AWS Secrets Manager so that you can retrieve
-You can optionally centralize configuration data in a single AWS account and share parameters with other accounts that need to access them.
-
-  * **Accessible from other AWS services**
-
-You can use Parameter Store parameters with other Systems Manager tools and AWS services to retrieve secrets and configuration data from a central store. Parameters work with Systems Manager tools such as Run Command, Automation, and State Manager, tools in AWS Systems Manager. You can also reference parameters in a number of other AWS services, including the following:
-
-    * Amazon Elastic Compute Cloud (Amazon EC2)
-
-    * Amazon Elastic Container Service (Amazon ECS)
-
-    * AWS Secrets Manager
-
-    * AWS Lambda
-
-    * AWS CloudFormation
-
-    * AWS CodeBuild
-
-    * AWS CodePipeline
-
-    * AWS CodeDeploy
-
-  * **Integrate with other AWS services**
-
-Configure integration with the following AWS services for encryption, notification, monitoring, and auditing:
-
-    * AWS Key Management Service (AWS KMS)
-
-    * Amazon Simple Notification Service (Amazon SNS)
+Centralize configuration data in a single AWS account and share parameters with other accounts that need access. For more information, see [Working with shared parameters in Parameter Store](./parameter-store-shared-parameters.html).
@@ -101,5 +63 @@ Configure integration with the following AWS services for encryption, notificati
-    * Amazon CloudWatch: For more information, see [Configuring EventBridge rules for parameters and parameter policies](./sysman-paramstore-cwe.html#cwe-parameter-changes). 
-
-    * Amazon EventBridge: For more information, see [Monitoring Systems Manager status changes using Amazon SNS notifications](./monitoring-sns-notifications.html) and [Reference: Amazon EventBridge event patterns and types for Systems Manager](./reference-eventbridge-events.html). 
-
-    * AWS CloudTrail: For more information, see [Logging AWS Systems Manager API calls with AWS CloudTrail](./monitoring-cloudtrail-logs.html).
+  * **OS Patching**
@@ -106,0 +65 @@ Configure integration with the following AWS services for encryption, notificati
+Amazon EC2 lets you specify the operating system for new instances by [referencing a parameter instead of hardcoding an AMI (AMI) ID](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-systems-manager-parameter-to-find-AMI.html.html). This approach ensures your instances automatically use the latest patched and updated images. AWS and operating system vendors provide [public parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-finding-public-parameters.html) that track current AMI versions, so you don't have to manage updates manually. You can also define your own parameters to reference a centrally managed golden AMI, making it easier to enforce consistent, approved configurations across your organization.
@@ -107,0 +67 @@ Configure integration with the following AWS services for encryption, notificati
+  * **Accessible from other AWS services**
@@ -108,0 +69 @@ Configure integration with the following AWS services for encryption, notificati
+Other AWS services allow you to easily reference parameter values. Here are some examples:
@@ -110 +71 @@ Configure integration with the following AWS services for encryption, notificati
-## What is a parameter?
+    * Lambda functions can retrieve parameters and secrets using the [Parameters and Secrets Lambda Extension](https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html).
@@ -112 +73 @@ Configure integration with the following AWS services for encryption, notificati
-A Parameter Store parameter is any piece of data that is saved in Parameter Store, such as a block of text, a list of names, a password, an AMI ID, a license key, and so on. You can centrally and securely reference this data in your scripts, commands, and SSM documents.
+    * Amazon Elastic Container Service and AWS Fargate allow you to [inject environmental variables](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-ssm-paramstore.html) whose values are managed centrally in parameter store.
@@ -114 +75 @@ A Parameter Store parameter is any piece of data that is saved in Parameter Stor
-When you reference a parameter, you specify the parameter name by using the following convention.
+    * AWS CloudFormation templates can reference [parameter values](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references-ssm.html).
@@ -116 +77 @@ When you reference a parameter, you specify the parameter name by using the foll
-{{`ssm:`parameter-name``}}
+    * AWS AppConfig enables you to create [configuration profiles that reference parameters](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-free-form-configuration-and-profile-create-console.html), allowing you to safely deploy configuration changes using features such as gradual rollouts, alarm-based rollbacks, and built-in data validation.
@@ -118 +79 @@ When you reference a parameter, you specify the parameter name by using the foll
-###### Note
+    * AWS CodeBuild allows you to [define environmental variables](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec.env.parameter-store) whose values are dynamically retrieved from Parameter Store at build time.
@@ -120 +81 @@ When you reference a parameter, you specify the parameter name by using the foll
-Parameters can't be referenced or nested in the values of other parameters. You can't include `{{}}` or `{{ssm:`parameter-name`}}` in a parameter value.
+  * **Parameter History**
@@ -122 +83 @@ Parameters can't be referenced or nested in the values of other parameters. You
-Parameter Store provides support for three types of parameters: `String`, `StringList`, and `SecureString`. 
+Parameter Store retains the 100 most recent [versions](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-versions.html) of each parameter, so you can quickly review and reconstruct previous values when investigating operational issues.
@@ -124 +85 @@ Parameter Store provides support for three types of parameters: `String`, `Strin
-With one exception, when you create or update a parameter, you enter the parameter value as plaintext, and Parameter Store performs no validation on the text you enter. For `String` parameters, however, you can specify the data type as `aws:ec2:image`, and Parameter Store validates that the value you enter is the proper format for an Amazon EC2 AMI; for example: `ami-12345abcdeEXAMPLE`.
+  * **Events and notifications**
@@ -126 +87 @@ With one exception, when you create or update a parameter, you enter the paramet
-### Parameter type: String
+Automate workflows in Parameter Store by subscribing to parameter [change events](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-cwe.html). You can also use [change events](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-policies.html) to enforce expiration and receive notifications when a parameter hasn’t been rotated within a specified timeframe.
@@ -128 +89 @@ With one exception, when you create or update a parameter, you enter the paramet
-By default, the value of a `String` parameter consists of any block of text you enter. For example:
+  * **Organize parameters hierarchically**
@@ -130 +91 @@ By default, the value of a `String` parameter consists of any block of text you
-  * `abc123`
+Use [parameter hierarchies](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-hierarchies.html) to group related parameters, making it easier to discover, manage, and filter them across environments and applications.
@@ -132 +92,0 @@ By default, the value of a `String` parameter consists of any block of text you
-  * `Example Corp`
@@ -134 +93,0 @@ By default, the value of a `String` parameter consists of any block of text you
-  * `<img src="images/bannerImage1.png"/>`
@@ -136,0 +96 @@ By default, the value of a `String` parameter consists of any block of text you
+## Parameter tiers
@@ -137,0 +98 @@ By default, the value of a `String` parameter consists of any block of text you
+Parameter Store offers multiple parameter tiers that affect cost, scale, and performance. You individually configure parameters to use either the standard-parameter tier (the default tier) or the advanced-parameter tier.
@@ -139 +100 @@ By default, the value of a `String` parameter consists of any block of text you
-### Parameter type: StringList
+Use:
@@ -141 +102 @@ By default, the value of a `String` parameter consists of any block of text you
-The values of `StringList` parameters contain a comma-separated list of values, as shown in the following examples.
+  * Standard parameters for most configuration data and low-scale workloads
@@ -143 +104 @@ The values of `StringList` parameters contain a comma-separated list of values,
-`Monday,Wednesday,Friday`
+  * Advanced parameters when you need higher limits, larger values, or parameter policies
@@ -145 +105,0 @@ The values of `StringList` parameters contain a comma-separated list of values,
-`CSV,TSV,CLF,ELF,JSON`
@@ -147 +106,0 @@ The values of `StringList` parameters contain a comma-separated list of values,
-### Parameter type: SecureString
@@ -149 +107,0 @@ The values of `StringList` parameters contain a comma-separated list of values,
-The value of a `SecureString` parameter is any sensitive data that needs to be stored and referenced in a secure manner. If you have data that you don't want users to alter or reference in plaintext, such as passwords or license keys, create those parameters using the `SecureString` data type.
@@ -153,13 +111 @@ The value of a `SecureString` parameter is any sensitive data that needs to be s
-Don't store sensitive data in a `String` or `StringList` parameter. For all sensitive data that must remain encrypted, use only the `SecureString` parameter type.
-
-For more information, see [Creating a SecureString parameter using the AWS CLI](./param-create-cli.html#param-create-cli-securestring).
-
-We recommend using `SecureString` parameters for the following scenarios:
-
-  * You want to use data/parameters across AWS services without exposing the values as plaintext in commands, functions, agent logs, or CloudTrail logs.
-
-  * You want to control who has access to sensitive data.
-
-  * You want to be able to audit when sensitive data is accessed (CloudTrail).
-
-  * You want to encrypt your sensitive data, and you want to bring your own encryption keys to manage access.
+You can upgrade a parameter from standard to advanced, but you cannot downgrade it.