Code Review In Seconds

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

IAM Policy: Allow SSM Get Parameters with KMS Decrypt

IAM policy to allow getting SSM parameters by path and decrypting with KMS. Securely manage secrets in AWS.

Allow SSM Get Parameters with KMS Decrypt

This IAM policy allows getting SSM parameters by path and decrypting them using KMS. It's useful for applications that need to securely retrieve configuration data stored in AWS Systems Manager Parameter Store, encrypted with KMS.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSM",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters"
            ],
            "Resource": [
                "arn:aws:ssm:eu-west-1:xxxxxxxxxxxx:parameter/my-application/dev/DATABASE_*",
                "arn:aws:ssm:eu-west-1:xxxxxxxxxxxx:parameter/codebuild/dev/DOCKER_USER",
                "arn:aws:ssm:eu-west-1:xxxxxxxxxxxx:parameter/codebuild/dev/DOCKER_PASSWORD"
            ]
        },
        {
            "Sid": "AllowKMSDecrypt",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "arn:aws:kms:eu-west-1:xxxxxxxxxxxx:key/*"
            ]
        }
    ]
}

Explanation

This policy consists of two main statements:

AllowSSM

This statement allows the ssm:GetParametersByPath and ssm:GetParameters actions. These actions are necessary to retrieve parameters from the AWS Systems Manager Parameter Store. The Resource element specifies the ARN patterns for the parameters that can be accessed. In this example, it allows access to parameters under the /my-application/dev/DATABASE_*, /codebuild/dev/DOCKER_USER, and /codebuild/dev/DOCKER_PASSWORD paths.

AllowKMSDecrypt

This statement allows the kms:Decrypt and kms:GenerateDataKey actions. These actions are required to decrypt the parameters if they are encrypted using KMS. The Resource element specifies the ARN pattern for the KMS keys that can be used for decryption. In this example, it allows access to all keys in the eu-west-1 region for the specified account.

Use Cases

  • Granting access to applications to retrieve database credentials stored in SSM Parameter Store.
  • Allowing CI/CD pipelines to access encrypted secrets required for deployment.
  • Providing secure access to configuration parameters for microservices.

Best Practices

  • Apply the principle of least privilege by granting only the necessary permissions.
  • Use specific resource ARNs instead of wildcards to limit the scope of access.
  • Regularly review and update IAM policies to ensure they are still appropriate.
← Back to aws-iam cheatsheets All cheatsheets 🙏  Credits & Acknowledgments