AWS SSM Parameter Store

Question 1

What is AWS Systems Manager Parameter Store?

Answer 1

A managed service to store configuration data and secrets securely, centrally, and in a hierarchical structure for applications and infrastructure.

Question 2

What types of data can Parameter Store manage?

Answer 2

Plaintext, SecureString (encrypted), and StringList.

Question 3

What is the difference between String and SecureString parameters?

Answer 3

String is plaintext, while SecureString is encrypted using AWS KMS keys for security.

Question 4

How does Parameter Store integrate with AWS KMS?

Answer 4

SecureString parameters can be encrypted with a customer-managed KMS key or the default AWS-managed key.

Question 5

What are Hierarchical Parameters?

Answer 5

Parameters can be stored in a path-like hierarchy, e.g., /prod/db/username, allowing logical grouping.

Question 6

What is the maximum size of a parameter value?

Answer 6

4 KB for standard parameters; 8 KB for advanced parameters.

Question 7

What is the difference between standard and advanced parameters?

Answer 7

Standard: free, 10,000 max, 4 KB, 1 per second throughput. Advanced: paid, 100,000 max, 8 KB, higher throughput, supports policies, larger value sizes.

Question 8

Can you attach policies to parameters?

Answer 8

Yes, advanced parameters support parameter policies for expiration, rotation, and notifications.

Question 9

How can applications access Parameter Store securely?

Answer 9

Via AWS SDKs, CLI, or by assigning IAM roles/policies to EC2, Lambda, or other services.

Question 10

What is Parameter Versioning?

Answer 10

Parameter Store automatically maintains versions of parameters each time they are updated, allowing rollback.

Question 11

How do you create a parameter using AWS CLI?

Answer 11

aws ssm put-parameter –name “/prod/db/password” –value “MySecret” –type SecureString

Question 12

How do you retrieve a parameter value from Parameter Store?

Answer 12

aws ssm get-parameter –name “/prod/db/password” –with-decryption

Question 13

How do you retrieve multiple parameters under a path?

Answer 13

aws ssm get-parameters-by-path –path “/prod/db/” –recursive –with-decryption

Question 14

How do you update a parameter?

Answer 14

aws ssm put-parameter –name “/prod/db/password” –value “NewSecret” –type SecureString –overwrite

Question 15

How do you delete a parameter?

Answer 15

aws ssm delete-parameter –name “/prod/db/password”

Question 16

How do you list all parameters?

Answer 16

aws ssm describe-parameters

Question 17

How can Parameter Store integrate with EC2, Lambda, or ECS?

Answer 17

Use IAM roles to allow services to call GetParameter API at runtime to fetch config or secrets.

Question 18

What is the difference between GetParameter and GetParameters?

Answer 18

GetParameter fetches a single parameter; GetParameters fetches multiple parameters at once.

Question 19

Should you use Parameter Store for sensitive data?

Answer 19

Yes, use SecureString with KMS encryption.

Question 20

How should you manage parameter versioning?

Answer 20

Always use versioning to allow safe rollback of changes.

Question 21

When should you use advanced parameters?

Answer 21

When you need larger values, parameter policies, or higher throughput.

Question 22

How do you structure hierarchical parameters?

Answer 22

Use paths like /environment/service/config to keep parameters organized.

Question 23

Can Parameter Store replace AWS Secrets Manager?

Answer 23

For basic secrets, yes, but Secrets Manager offers rotation, replication, and secret lifecycle management.

Question 24

How would you store database credentials securely for a Lambda function?

Answer 24

Store as SecureString in Parameter Store, encrypt with KMS, and give Lambda an IAM role to access the parameter.

Question 25

How can you rotate secrets stored in Parameter Store automatically?

Answer 25

Use Parameter Policies for rotation, or integrate with Lambda to programmatically update SecureString values.

Question 26

How can you avoid exposing secrets in logs?

Answer 26

Always retrieve SecureString parameters with --with-decryption in memory only, and avoid logging the value.

Question 27

How would you structure parameters for multiple environments (dev, test, prod)?

Answer 27

Use a path hierarchy, e.g., /dev/db/password, /test/db/password, /prod/db/password.

Question 28

How can you handle large sets of configuration data?

Answer 28

Use StringList parameters or multiple hierarchical parameters with paths.

Question 29

What is AWS Systems Manager Parameter Store?

Answer 29

A managed service to store configuration data and secrets securely, centrally, and hierarchically.

Question 30

What types of data can Parameter Store manage?

Answer 30

String, SecureString (encrypted), and StringList.

Question 31

What is the difference between String and SecureString?

Answer 31

String is plaintext; SecureString is encrypted using AWS KMS.

Question 32

What is a StringList parameter?

Answer 32

A comma-separated list of string values stored as a single parameter.

Question 33

What is the maximum size for standard parameters?

Answer 33

4 KB per parameter.

Question 34

What is the maximum size for advanced parameters?

Answer 34

8 KB per parameter.

Question 35

How does Parameter Store handle versioning?

Answer 35

Each parameter update creates a new version, allowing rollback.

Question 36

What is the difference between standard and advanced parameters?

Answer 36

Advanced parameters support larger size, more versions, higher throughput, policies, and are billed.

Question 37

How are parameters structured hierarchically?

Answer 37

Using path-like names, e.g., /prod/db/username.

Question 38

How does Parameter Store integrate with AWS KMS?

Answer 38

SecureString parameters can be encrypted with AWS-managed or customer-managed KMS keys.

Question 39

When should you use SecureString?

Answer 39

For secrets such as passwords, API keys, or tokens.

Question 40

When is StringList useful?

Answer 40

Storing multiple related values in one parameter, like multiple database endpoints.

Question 41

Can SecureString be decrypted automatically by AWS services?

Answer 41

Yes, if the service has IAM permissions and uses the --with-decryption flag.

Question 42

Can Parameter Store replace Secrets Manager?

Answer 42

For basic secrets, yes, but Secrets Manager supports automatic rotation and lifecycle management.

Question 43

How do you specify a custom KMS key for a SecureString?

Answer 43

Using --key-id when creating the parameter via CLI or SDK.

Question 44

How do you create a standard string parameter?

Answer 44

aws ssm put-parameter --name "/prod/app/config" --value "value" --type String

Question 45

How do you create a SecureString parameter?

Answer 45

aws ssm put-parameter --name "/prod/db/password" --value "secret" --type SecureString --key-id "alias/my-key"

Question 46

How do you update a parameter without creating a new version?

Answer 46

You cannot; updates create a new version automatically. Use --overwrite to update.

Question 47

How do you retrieve a single parameter value?

Answer 47

aws ssm get-parameter --name "/prod/db/password" --with-decryption

Question 48

How do you retrieve multiple parameters at once?

Answer 48

aws ssm get-parameters --names "/prod/db/password" "/prod/db/username" --with-decryption

Question 49

How do you retrieve all parameters under a path?

Answer 49

aws ssm get-parameters-by-path --path "/prod/db/" --recursive --with-decryption

Question 50

How do you delete a parameter?

Answer 50

aws ssm delete-parameter --name "/prod/db/password"

Question 51

How do you list all parameters?

Answer 51

aws ssm describe-parameters

Question 52

How do you filter parameters by type?

Answer 52

aws ssm describe-parameters --parameter-filters Key=Type,Values=SecureString

Question 53

How do you get a parameter version?

Answer 53

The Version field in get-parameter response indicates it.

Question 54

How can you retrieve a parameter in Python (Boto3)?

Answer 54

ssm.get_parameter(Name='/prod/db/password', WithDecryption=True)

Question 55

How can Lambda securely access Parameter Store?

Answer 55

Assign an IAM role with ssm:GetParameter permissions and call the SDK in code.

Question 56

Can CloudFormation manage Parameter Store parameters?

Answer 56

Yes, using AWS::SSM::Parameter resource type.

Question 57

How do you reference Parameter Store values in CloudFormation templates?

Answer 57

{{resolve:ssm:/path/to/parameter:version}} for standard, or {{resolve:ssm-secure:/path/to/parameter:version}} for SecureString.

Question 58

How can you use Parameter Store with ECS tasks?

Answer 58

Use secrets in task definitions referencing the SSM parameter ARN.

Question 59

Can SSM Parameters be used in CodePipeline?

Answer 59

Yes, parameters can be injected as environment variables for deployment steps.

Question 60

What are parameter policies?

Answer 60

Rules applied to parameters for expiration, rotation, or notifications.

Question 61

How can you enforce automatic parameter expiration?

Answer 61

Create a parameter policy of type Expiration.

Question 62

Can you rotate SecureString parameters automatically?

Answer 62

Yes, using parameter policies with Lambda rotation functions.

Question 63

What is a parameter policy for change notification?

Answer 63

Sends events to Amazon EventBridge when a parameter changes.

Question 64

How many versions does Parameter Store retain by default?

Answer 64

Standard: 100; Advanced: configurable, up to 100.

Question 65

What is the max number of parameters per AWS account?

Answer 65

Standard: 10,000; Advanced: 100,000 (limits can increase on request).

Question 66

How can you audit access to Parameter Store?

Answer 66

Enable AWS CloudTrail logging for API calls.

Question 67

Can you tag parameters?

Answer 67

Yes, using standard AWS tagging.

Question 68

Should you store sensitive data in plaintext?

Answer 68

No, always use SecureString with KMS encryption.

Question 69

How should IAM policies be structured for Parameter Store?

Answer 69

Use least privilege: allow only services/users that need access.

Question 70

How do you prevent secrets from leaking in logs?

Answer 70

Retrieve parameters in memory only, do not log decrypted values.

Question 71

How should parameters be structured for multiple environments?

Answer 71

Use a hierarchical naming convention: /dev/service/param, /prod/service/param.

Question 72

How can you secure cross-account access?

Answer 72

Use resource-based policies with ssm:ResourceTag or KMS key policies.

Question 73

How do you rotate secrets without downtime?

Answer 73

Use versioned parameters with Lambda rotation and update references atomically.

Question 74

How would you store database credentials securely for Lambda?

Answer 74

Store as SecureString in Parameter Store, encrypt with KMS, and assign Lambda an IAM role for access.

Question 75

How would you structure parameters for multiple services?

Answer 75

Use paths per service, e.g., /prod/service1/db, /prod/service2/api.

Question 76

How do you handle large lists of endpoints?

Answer 76

Use StringList parameters or multiple hierarchical parameters.

Question 77

How do you integrate Parameter Store with ECS tasks?

Answer 77

Reference SecureString parameters in secrets section of task definitions.

Question 78

How do you ensure applications use the latest secret version?

Answer 78

Applications call get-parameter each time they start or periodically refresh cache.

Question 79

How can Parameter Store help with zero-downtime deployments?

Answer 79

Store config and secrets externally; update parameters without changing code, services fetch updated values at runtime.

Question 80

How do you migrate secrets from Parameter Store to Secrets Manager?

Answer 80

Export values securely and recreate them in Secrets Manager; update applications to reference Secrets Manager ARN.