Summary table
| Parameter Type | Best for | Key behavior | Example create (CLI) |
|---|---|---|---|
| String | Single scalar values: URLs, paths, numeric config as text, small JSON snippets | Plain-text value up to 4 KB (standard); up to 8 KB for advanced parameters (may incur costs) | aws ssm put-parameter --name "/myapp/config/endpoint" --value "https://api.example.com" --type "String" |
| StringList | Small lists that can be parsed by splitting on commas (hostnames, ports) | Stored as one comma-delimited string. Do not include commas inside items. | aws ssm put-parameter --name "/myapp/allowed_hosts" --value "host1.example.com,host2.example.com" --type "StringList" |
| SecureString | Secrets: API keys, passwords, certificates | Encrypted with AWS KMS. Requires kms:Decrypt and ssm:GetParameter (with decryption) to retrieve plaintext. | aws ssm put-parameter --name "/myapp/credentials/api_key" --value "my-secret" --type "SecureString" |
Parameter types — details and CLI examples
1) String
Description: A plain-text parameter for single scalar values (URLs, file paths, configuration text, or short JSON). Size limits:- Standard parameters: up to 4 KB (4096 characters).
- Advanced parameters: larger sizes up to ~8 KB (8192 characters) — advanced parameters may incur additional charges. For much larger payloads consider Amazon S3 or AWS Secrets Manager.
2) StringList
Description: A single parameter that stores a comma-separated list of strings. Use when your application can split values on commas. Notes:- The entire comma-separated value is treated as one string. SSM does not expose list semantics beyond the comma delimiter.
- Avoid commas inside list items because they will be interpreted as separators.
3) SecureString
Description: An encrypted parameter for sensitive data (API keys, passwords, certificates). Values are encrypted using AWS KMS. KMS key usage:- By default, Parameter Store uses the AWS-managed key alias/aws/ssm.
- You may specify a customer-managed KMS key with
--key-idwhen creating the parameter.
- To retrieve plaintext, callers must have
kms:Decryptpermission on the KMS key andssm:GetParameterwith decryption permission. - If using a customer-managed key, ensure the KMS key policy allows the principal to use the key (and that the SSM service can perform decryption if required).
Use SecureString for secrets. Make sure your IAM roles and the KMS key policy allow both reading the parameter (ssm:GetParameter) and decrypting the key (kms:Decrypt). If you need rotation, versioning, or advanced secret lifecycle features, consider using a dedicated secrets service such as AWS Secrets Manager.
Additional notes and best practices
- Parameter naming: Adopt hierarchical names like
/application/environment/keyto organize parameters and to make IAM/resource policies more effective. - Permissions: Control access using AWS IAM. For SecureString parameters, also ensure appropriate KMS permissions.
- Choosing the right service:
- Use Parameter Store for configuration data and lightweight secrets.
- Use AWS Secrets Manager when you require automatic rotation, built-in secret lifecycle, or cross-account replication.
- Large payloads: For very large data blobs, consider storing data in Amazon S3 (and referencing it from Parameter Store) or use a purpose-built secrets solution.
- Use String for general text values.
- Use StringList for small comma-separated lists that your application can split.
- Use SecureString for sensitive data encrypted with KMS.
Links and references
- AWS Systems Manager Parameter Store: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
- AWS KMS overview: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
- AWS Secrets Manager: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
- Amazon S3: https://aws.amazon.com/s3/
- AWS IAM documentation: https://docs.aws.amazon.com/iam/latest/UserGuide/introduction.html