Overview
To be able to read the value of a Parameter, the users needs access to the following access ssm:GetParameters
(as well as Decrypt access on the encrypting KMS key, by default aws/ssm
).
Avoiding Permission
If you are using Least Privilege to grant access to your users, ensure that they aren’t given access to the ssm:GetParameters
action.
Denying Permission
Although Least Privilege is recommended in many places, most example permissions are overly permissive. If you can’t avoid giving a permission, you can add an explicit Deny to any users you don’t want retrieving the values.
The following policy, if attached to a User/Role should block access to reading the value of a parameter.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ssm:GetParameters", "Resource": "*" }] }
Deny Decryption
Since viewing a SecureString depends on decrypting using KMS, you can also deny decryption:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "kms:Decrypt", "Resource": "[key arn]" }] }
where you replace [key arn]
with the KMS Key, or *
to block decryption with any keys.