Overview
To be able to read the value of a Parameter, the users needs access to the following access ssm:GetParameters (as well as Decrypt access on the encrypting KMS key, by default aws/ssm).
Avoiding Permission
If you are using Least Privilege to grant access to your users, ensure that they aren’t given access to the ssm:GetParameters action.
Denying Permission
Although Least Privilege is recommended in many places, most example permissions are overly permissive. If you can’t avoid giving a permission, you can add an explicit Deny to any users you don’t want retrieving the values.
The following policy, if attached to a User/Role should block access to reading the value of a parameter.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ssm:GetParameters",
"Resource": "*"
}]
}Deny Decryption
Since viewing a SecureString depends on decrypting using KMS, you can also deny decryption:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "kms:Decrypt",
"Resource": "[key arn]"
}]
}where you replace [key arn] with the KMS Key, or * to block decryption with any keys.