AllowGetSSMWithKMS
IAM policy to allow getting SSM parameters by path and decrypting with KMS. Securely manage secrets in AWS.
Allow SSM Get Parameters with KMS Decrypt
This IAM policy allows getting SSM parameters by path and decrypting them using KMS. It's useful for applications that need to securely retrieve configuration data stored in AWS Systems Manager Parameter Store, encrypted with KMS.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSM",
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:eu-west-1:xxxxxxxxxxxx:parameter/my-application/dev/DATABASE_*",
"arn:aws:ssm:eu-west-1:xxxxxxxxxxxx:parameter/codebuild/dev/DOCKER_USER",
"arn:aws:ssm:eu-west-1:xxxxxxxxxxxx:parameter/codebuild/dev/DOCKER_PASSWORD"
]
},
{
"Sid": "AllowKMSDecrypt",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:eu-west-1:xxxxxxxxxxxx:key/*"
]
}
]
}
Explanation
This policy consists of two main statements:
AllowSSM
This statement allows the ssm:GetParametersByPath
and ssm:GetParameters
actions. These actions are necessary to retrieve parameters from the AWS Systems Manager Parameter Store. The Resource
element specifies the ARN patterns for the parameters that can be accessed. In this example, it allows access to parameters under the /my-application/dev/DATABASE_*
, /codebuild/dev/DOCKER_USER
, and /codebuild/dev/DOCKER_PASSWORD
paths.
AllowKMSDecrypt
This statement allows the kms:Decrypt
and kms:GenerateDataKey
actions. These actions are required to decrypt the parameters if they are encrypted using KMS. The Resource
element specifies the ARN pattern for the KMS keys that can be used for decryption. In this example, it allows access to all keys in the eu-west-1
region for the specified account.
Use Cases
- Granting access to applications to retrieve database credentials stored in SSM Parameter Store.
- Allowing CI/CD pipelines to access encrypted secrets required for deployment.
- Providing secure access to configuration parameters for microservices.
Best Practices
- Apply the principle of least privilege by granting only the necessary permissions.
- Use specific resource ARNs instead of wildcards to limit the scope of access.
- Regularly review and update IAM policies to ensure they are still appropriate.