• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Creating Parameter Store parameters in Systems Manager
Use the information in the following topics to help you create Systems Manager parameters using the AWS Systems Manager console, the AWS Command Line Interface (AWS CLI), or AWS Tools for Windows PowerShell (Tools for Windows PowerShell).
This section demonstrates how to create, store, and run parameters with Parameter Store in a test environment. It also demonstrates how to use Parameter Store with other Systems Manager tools in AWS services. For more information, see [What is a parameter?](systems-manager-parameter-store.md#what-is-a-parameter)
## Understanding requirements and constraints for parameter names
Use the information in this topic to help you specify valid values for parameter names when you create a parameter.
This information supplements the details in the topic [PutParameter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html) in the *AWS Systems Manager API Reference*, which also provides information about the values **AllowedPattern**, **Description**, **KeyId**, **Overwrite**, **Type**, and **Value**.
The requirements and constraints for parameter names include the following:
+ **Case sensitivity**: Parameter names are case sensitive.
+ **Spaces**: Parameter names can't include spaces.
+ **Valid characters**: Parameter names can consist of the following symbols and letters only: `a-zA-Z0-9_.-`
In addition, the slash character ( / ) is used to delineate hierarchies in parameter names. For example: `/Dev/Production/East/Project-ABC/MyParameter`
+ **Valid AMI format**: When you choose `aws:ec2:image` as the data type for a `String` parameter, the ID you enter must validate for the AMI ID format `ami-12345abcdeEXAMPLE`.
+ **Fully qualified**: When you create or reference a parameter in a hierarchy, include a leading forward slash character (/) . When you reference a parameter that is part of a hierarchy, specify the entire hierarchy path including the initial slash (/).
+ Fully qualified parameter names: `MyParameter1`, `/MyParameter2`, `/Dev/Production/East/Project-ABC/MyParameter`
+ Not fully qualified parameter name: `MyParameter3/L1`
+ **Length**: The maximum length for a parameter name that you specify is 1011 characters. This count of 1011 characters includes the characters in the ARN that precede the name you specify, such as the 45 characters in `arn:aws:ssm:us-east-2:111122223333:parameter/`.
+ **Prefixes**: A parameter name can't be prefixed with "`aws`" or "`ssm`" (case-insensitive). For example, attempts to create parameters with the following names fail with an exception:
+ `awsTestParameter`
+ `SSM-testparameter`
+ `/aws/testparam1`
**Note**
When you specify a parameter in an SSM document, command, or script, include `ssm` as part of the syntax. For example, \$1\$1ssm:*parameter-name*\$1\$1 and \$1\$1 ssm:*parameter-name* \$1\$1, such as `{{ssm:MyParameter}}`, and `{{ ssm:MyParameter }}.`
+ **Uniqueness**: A parameter name must be unique within an AWS Region. For example, Systems Manager treats the following as separate parameters, if they exist in the same Region:
+ `/Test/TestParam1`
+ `/TestParam1`
The following examples are also unique:
+ `/Test/TestParam1/Logpath1`
+ `/Test/TestParam1`
The following examples, however, if in the same Region, aren't unique:
+ `/TestParam1`
+ `TestParam1`
+ **Hierarchy depth**: If you specify a parameter hierarchy, the hierarchy can have a maximum depth of fifteen levels. You can define a parameter at any level of the hierarchy. Both of the following examples are structurally valid:
+ `/Level-1/L2/L3/L4/L5/L6/L7/L8/L9/L10/L11/L12/L13/L14/parameter-name`
+ `parameter-name`
Attempting to create the following parameter would fail with a `HierarchyLevelLimitExceededException` exception:
+ `/Level-1/L2/L3/L4/L5/L6/L7/L8/L9/L10/L11/L12/L13/L14/L15/L16/parameter-name`
**Important**
If a user has access to a path, then the user can access all levels of that path. For example, if a user has permission to access path `/a`, then the user can also access `/a/b`. Even if a user has explicitly been denied access in AWS Identity and Access Management (IAM) for parameter `/a/b`, they can still call the [GetParametersByPath](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParametersByPath.html) API operation recursively for `/a` and view `/a/b`.
**Topics**
+ [Understanding requirements and constraints for parameter names](#sysman-parameter-name-constraints)
+ [Creating a Parameter Store parameter using the console](parameter-create-console.md)
+ [Creating a Parameter Store parameter using the AWS CLI](param-create-cli.md)
+ [Creating a Parameter Store parameter using Tools for Windows PowerShell](param-create-ps.md)
# Creating a Parameter Store parameter using the console
You can use the AWS Systems Manager console to create and run `String`, `StringList`, and `SecureString` parameter types. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
**Note**
Parameters are only available in the AWS Region where they were created.
The following procedure walks you through the process of creating a parameter in the Parameter Store console. You can create `String`, `StringList`, and `SecureString` parameter types from the console.
**To create a parameter**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Parameter Store**.
1. Choose **Create parameter**.
1. In the **Name** box, enter a hierarchy and a name. For example, enter **/Test/helloWorld**.
For more information about parameter hierarchies, see [Working with parameter hierarchies in Parameter Store](sysman-paramstore-hierarchies.md).
1. In the **Description** box, type a description that identifies this parameter as a test parameter.
1. For **Parameter tier** choose either **Standard** or **Advanced**. For more information about advanced parameters, see [Managing parameter tiers](parameter-store-advanced-parameters.md).
1. For **Type**, choose **String**, **StringList**, or **SecureString**.
+ If you choose **String**, the **Data type** field is displayed. If you're creating a parameter to hold the resource ID for an Amazon Machine Image (AMI), select `aws:ec2:image`. Otherwise, keep the default `text` selected.
+ If you choose **SecureString,** the **KMS Key ID** field is displayed. If you don't provide an AWS Key Management Service AWS KMS key ID, an AWS KMS key Amazon Resource Name (ARN), an alias name, or an alias ARN, then the system uses `alias/aws/ssm`, which is the AWS managed key for Systems Manager. If you don't want to use this key, then you can use a customer managed key. For more information about AWS managed keys and customer managed keys, see [AWS Key Management Service Concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) in the *AWS Key Management Service Developer Guide*. For more information about Parameter Store and AWS KMS encryption, see [How AWS Systems Manager Parameter Store Uses AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html).
**Important**
Parameter Store only supports [symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html#symmetric-cmks). You can't use an [asymmetric encryption KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) to encrypt your parameters. For help determining whether a KMS key is symmetric or asymmetric, see [Identifying symmetric and asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) in the *AWS Key Management Service Developer Guide*
+ When creating a `SecureString` parameter in the console by using the `key-id` parameter with either a customer managed key alias name or an alias ARN, specify the prefix `alias/` before the alias. Following is an ARN example.
```
arn:aws:kms:us-east-2:123456789012:alias/abcd1234-ab12-cd34-ef56-abcdeEXAMPLE
```
Following is an alias name example.
```
alias/MyAliasName
```
1. In the **Value** box, type a value. For example, type **This is my first parameter** or **ami-0dbf5ea29aEXAMPLE**.
**Note**
Parameters can't be referenced or nested in the values of other parameters. You can't include `{{}}` or `{{ssm:parameter-name}}` in a parameter value.
If you chose **SecureString**, the value of the parameter is masked by default ("\$1\$1\$1\$1\$1\$1") when you view it later on the parameter **Overview** tab, as shown in the following illlustration. Choose **Show** to display the parameter value.
![\[A SecureString parameter's value is masked with the option to display the value.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/ps-overview-show-secstring.png)
1. (Optional) In the **Tags** area, apply one or more tag key-value pairs to the parameter.
Tags are optional metadata that you assign to a resource. Tags allow you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a Systems Manager parameter to identify the type of resource to which it applies, the environment, or the type of configuration data referenced by the parameter. In this case, you could specify the following key-value pairs:
+ `Key=Resource,Value=S3bucket`
+ `Key=OS,Value=Windows`
+ `Key=ParameterType,Value=LicenseKey`
1. Choose **Create parameter**.
1. In the parameters list, choose the name of the parameter you just created. Verify the details on the **Overview** tab. If you created a `SecureString` parameter, choose **Show** to view the unencrypted value.
**Note**
You can’t change an advanced parameter to a standard parameter. If you no longer need an advanced parameter, or if you no longer want to incur charges for an advanced parameter, delete it and recreate it as a new standard parameter.
**Note**
You can't change the type of an existing parameter (for example, from `String` to `SecureString`) using the console. To change a parameter's type, you must use the AWS CLI or s with the `--overwrite` option. For more information, see [Creating a Parameter Store parameter using the AWS CLI](param-create-cli.md).
# Creating a Parameter Store parameter using the AWS CLI
You can use the AWS Command Line Interface (AWS CLI) to create `String`, `StringList`, and `SecureString` parameter types. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
Parameters can't be referenced or nested in the values of other parameters. You can't include `{{}}` or `{{ssm:parameter-name}}` in a parameter value.
**Note**
Parameters are only available in the AWS Region where they were created.
**Topics**
+ [Creating a `String` parameter using the AWS CLI](#param-create-cli-string)
+ [Creating a StringList parameter using the AWS CLI](#param-create-cli-stringlist)
+ [Creating a SecureString parameter using the AWS CLI](#param-create-cli-securestring)
+ [Creating a multi-line parameter using the AWS CLI](#param-create-cli-multiline)
## Creating a `String` parameter using the AWS CLI
1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already.
For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
1. Run the following command to create a `String`-type parameter. Replace each *example resource placeholder* with your own information.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name "parameter-name" \
--value "parameter-value" \
--type String \
--tags "Key=tag-key,Value=tag-value"
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name "parameter-name" ^
--value "parameter-value" ^
--type String ^
--tags "Key=tag-key,Value=tag-value"
```
------
-or-
Run the following command to create a parameter that contains an Amazon Machine Image (AMI) ID as the parameter value.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name "parameter-name" \
--value "an-AMI-id" \
--type String \
--data-type "aws:ec2:image" \
--tags "Key=tag-key,Value=tag-value"
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name "parameter-name" ^
--value "an-AMI-id" ^
--type String ^
--data-type "aws:ec2:image" ^
--tags "Key=tag-key,Value=tag-value"
```
------
The `--name` option supports hierarchies. For information about hierarchies, see [Working with parameter hierarchies in Parameter Store](sysman-paramstore-hierarchies.md).
The `--data-type` option must be specified only if you are creating a parameter that contains an AMI ID. It validates that the parameter value you enter is a properly formatted Amazon Elastic Compute Cloud (Amazon EC2) AMI ID. For all other parameters, the default data type is `text` and it's optional to specify a value. For more information, see [Using native parameter support in Parameter Store for Amazon Machine Image IDs](parameter-store-ec2-aliases.md).
**Important**
If successful, the command returns the version number of the parameter. **Exception**: If you have specified `aws:ec2:image` as the data type, a new version number in the response doesn't mean that the parameter value has been validated yet. For more information, see [Using native parameter support in Parameter Store for Amazon Machine Image IDs](parameter-store-ec2-aliases.md).
The following example adds two key-value pair tags to a parameter.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name parameter-name \
--value "parameter-value" \
--type "String" \
--tags '[{"Key":"Region","Value":"East"},{"Key":"Environment", "Value":"Production"}]'
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name parameter-name ^
--value "parameter-value" ^
--type "String" ^
--tags [{\"Key\":\"Region1\",\"Value\":\"East1\"},{\"Key\":\"Environment1\",\"Value\":\"Production1\"}]
```
------
The following example uses a parameter hierarchy in the name to create a plaintext `String` parameter. It returns the version number of the parameter. For more information about parameter hierarchies, see [Working with parameter hierarchies in Parameter Store](sysman-paramstore-hierarchies.md).
------
#### [ Linux & macOS ]
**Parameter not in a hierarchy**
```
aws ssm put-parameter \
--name "golden-ami" \
--type "String" \
--value "ami-12345abcdeEXAMPLE"
```
**Parameter in a hierarchy**
```
aws ssm put-parameter \
--name "/amis/linux/golden-ami" \
--type "String" \
--value "ami-12345abcdeEXAMPLE"
```
------
#### [ Windows ]
**Parameter not in a hierarchy**
```
aws ssm put-parameter ^
--name "golden-ami" ^
--type "String" ^
--value "ami-12345abcdeEXAMPLE"
```
**Parameter in a hierarchy**
```
aws ssm put-parameter ^
--name "/amis/windows/golden-ami" ^
--type "String" ^
--value "ami-12345abcdeEXAMPLE"
```
------
1. Run the following command to view the latest parameter value and verify the details of your new parameter.
```
aws ssm get-parameters --names "/Test/IAD/helloWorld"
```
The system returns information like the following.
```
{
"InvalidParameters": [],
"Parameters": [
{
"Name": "/Test/IAD/helloWorld",
"Type": "String",
"Value": "My updated parameter value",
"Version": 2,
"LastModifiedDate": "2020-02-25T15:55:33.677000-08:00",
"ARN": "arn:aws:ssm:us-east-2:123456789012:parameter/Test/IAD/helloWorld"
}
]
}
```
Run the following command to change the parameter value. It returns the version number of the parameter.
```
aws ssm put-parameter --name "/Test/IAD/helloWorld" --value "My updated 1st parameter" --type String --overwrite
```
Run the following command to view the parameter value history.
```
aws ssm get-parameter-history --name "/Test/IAD/helloWorld"
```
Run the following command to use this parameter in a command.
```
aws ssm send-command --document-name "AWS-RunShellScript" --parameters '{"commands":["echo {{ssm:/Test/IAD/helloWorld}}"]}' --targets "Key=instanceids,Values=instance-ids"
```
Run the following command if you only want to retrieve the parameter Value.
```
aws ssm get-parameter --name testDataTypeParameter --query "Parameter.Value"
```
Run the following command if you only want to retrieve the parameter Value using `get-parameters`.
```
aws ssm get-parameters --names "testDataTypeParameter" --query "Parameters[*].Value"
```
Run the following command to view the parameter metadata.
```
aws ssm describe-parameters --filters "Key=Name,Values=/Test/IAD/helloWorld"
```
**Note**
*Name* must be capitalized.
The system returns information like the following.
```
{
"Parameters": [
{
"Name": "helloworld",
"Type": "String",
"LastModifiedUser": "arn:aws:iam::123456789012:user/JohnDoe",
"LastModifiedDate": 1494529763.156,
"Version": 1,
"Tier": "Standard",
"Policies": []
}
]
}
```
## Creating a StringList parameter using the AWS CLI
1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already.
For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
1. Run the following command to create a parameter. Replace each *example resource placeholder* with your own information.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name "parameter-name" \
--value "a-comma-separated-list-of-values" \
--type StringList \
--tags "Key=tag-key,Value=tag-value"
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name "parameter-name" ^
--value "a-comma-separated-list-of-values" ^
--type StringList ^
--tags "Key=tag-key,Value=tag-value"
```
------
**Note**
If successful, the command returns the version number of the parameter.
This example adds two key-value pair tags to a parameter. (Depending on the operating system type on your local machine, run one of the following commands. The version to run from a local Windows machine includes the escape characters ("\$1") that you need to run the command from your command line tool.)
Here is a `StringList` example that uses a parameter hierarchy.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name /IAD/ERP/Oracle/addUsers \
--value "Milana,Mariana,Mark,Miguel" \
--type StringList
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name /IAD/ERP/Oracle/addUsers ^
--value "Milana,Mariana,Mark,Miguel" ^
--type StringList
```
------
**Note**
Items in a `StringList` must be separated by a comma (,). You can't use other punctuation or special characters to escape items in the list. If you have a parameter value that requires a comma, then use the `String` type.
1. Run the `get-parameters` command to verify the details of the parameter. For example:
```
aws ssm get-parameters --name "/IAD/ERP/Oracle/addUsers"
```
## Creating a SecureString parameter using the AWS CLI
Use the following procedure to create a `SecureString` parameter. Replace each *example resource placeholder* with your own information.
**Important**
Only the *value* of a `SecureString` parameter is encrypted. Parameter names, descriptions, and other properties aren't encrypted.
**Important**
Parameter Store only supports [symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html#symmetric-cmks). You can't use an [asymmetric encryption KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) to encrypt your parameters. For help determining whether a KMS key is symmetric or asymmetric, see [Identifying symmetric and asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) in the *AWS Key Management Service Developer Guide*
1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already.
For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
1. Run **one** of the following commands to create a parameter that uses the `SecureString` data type.
------
#### [ Linux & macOS ]
**Create a `SecureString` parameter using the default AWS managed key **
```
aws ssm put-parameter \
--name "parameter-name" \
--value "parameter-value" \
--type "SecureString"
```
**Create a `SecureString` parameter that uses a customer managed key**
```
aws ssm put-parameter \
--name "parameter-name" \
--value "a-parameter-value, for example P@ssW%rd#1" \
--type "SecureString"
--tags "Key=tag-key,Value=tag-value"
```
**Create a `SecureString` parameter that uses a custom AWS KMS key**
```
aws ssm put-parameter \
--name "parameter-name" \
--value "a-parameter-value, for example P@ssW%rd#1" \
--type "SecureString" \
--key-id "your-account-ID/the-custom-AWS KMS-key" \
--tags "Key=tag-key,Value=tag-value"
```
------
#### [ Windows ]
**Create a `SecureString` parameter using the default AWS managed key**
```
aws ssm put-parameter ^
--name "parameter-name" ^
--value "parameter-value" ^
--type "SecureString"
```
**Create a `SecureString` parameter that uses a customer managed key**
```
aws ssm put-parameter ^
--name "parameter-name" ^
--value "a-parameter-value, for example P@ssW%rd#1" ^
--type "SecureString" ^
--tags "Key=tag-key,Value=tag-value"
```
**Create a `SecureString` parameter that uses a custom AWS KMS key**
```
aws ssm put-parameter ^
--name "parameter-name" ^
--value "a-parameter-value, for example P@ssW%rd#1" ^
--type "SecureString" ^
--key-id " ^
--tags "Key=tag-key,Value=tag-value"account-ID/the-custom-AWS KMS-key"
```
------
If you create a `SecureString` parameter by using the AWS managed key key in your account and Region, then you *don't* have to provide a value for the `--key-id` parameter.
**Note**
To use the AWS KMS key assigned to your AWS account and AWS Region, remove the `key-id` parameter from the command. For more information about AWS KMS keys, see [AWS Key Management Service Concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) in the *AWS Key Management Service Developer Guide*.
To use a customer managed key instead of the AWS managed key assigned to your account, specify the key by using the `--key-id` parameter. The parameter supports the following KMS parameter formats.
+ Key Amazon Resource Name (ARN) example:
`arn:aws:kms:us-east-2:123456789012:key/key-id`
+ Alias ARN example:
`arn:aws:kms:us-east-2:123456789012:alias/alias-name`
+ Key ID example:
`12345678-1234-1234-1234-123456789012`
+ Alias Name example:
`alias/MyAliasName`
You can create a customer managed key by using the AWS Management Console or the AWS KMS API. The following AWS CLI commands create a customer managed key in the current AWS Region of your AWS account.
```
aws kms [create-key](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html)
```
Use a command in the following format to create a `SecureString` parameter using the key you just created.
The following example uses an obfuscated name (`3l3vat3131`) for a password parameter and an AWS KMS key.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name /Finance/Payroll/3l3vat3131 \
--value "P@sSwW)rd" \
--type SecureString \
--key-id arn:aws:kms:us-east-2:123456789012:key/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name /Finance/Payroll/3l3vat3131 ^
--value "P@sSwW)rd" ^
--type SecureString ^
--key-id arn:aws:kms:us-east-2:123456789012:key/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e
```
------
1. Run the following command to verify the details of the parameter.
If you don't specify the `with-decryption` parameter, or if you specify the `no-with-decryption` parameter, the command returns an encrypted GUID.
------
#### [ Linux & macOS ]
```
aws ssm get-parameters \
--name "the-parameter-name-you-specified" \
--with-decryption
```
------
#### [ Windows ]
```
aws ssm get-parameters ^
--name "the-parameter-name-you-specified" ^
--with-decryption
```
------
1. Run the following command to view the parameter metadata.
------
#### [ Linux & macOS ]
```
aws ssm describe-parameters \
--filters "Key=Name,Values=the-name-that-you-specified"
```
------
#### [ Windows ]
```
aws ssm describe-parameters ^
--filters "Key=Name,Values=the-name-that-you-specified"
```
------
1. Run the following command to change the parameter value if you're **not** using a customer managed AWS KMS key.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name "the-name-that-you-specified" \
--value "a-new-parameter-value" \
--type "SecureString" \
--overwrite
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name "the-name-that-you-specified" ^
--value "a-new-parameter-value" ^
--type "SecureString" ^
--overwrite
```
------
-or-
Run one of the following commands to change the parameter value if you **are** using a customer managed AWS KMS key.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name "the-name-that-you-specified" \
--value "a-new-parameter-value" \
--type "SecureString" \
--key-id "the-KMSkey-ID" \
--overwrite
```
```
aws ssm put-parameter \
--name "the-name-that-you-specified" \
--value "a-new-parameter-value" \
--type "SecureString" \
--key-id "account-alias/the-KMSkey-ID" \
--overwrite
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name "the-name-that-you-specified" ^
--value "a-new-parameter-value" ^
--type "SecureString" ^
--key-id "the-KMSkey-ID" ^
--overwrite
```
```
aws ssm put-parameter ^
--name "the-name-that-you-specified" ^
--value "a-new-parameter-value" ^
--type "SecureString" ^
--key-id "account-alias/the-KMSkey-ID" ^
--overwrite
```
------
1. Run the following command to view the latest parameter value.
------
#### [ Linux & macOS ]
```
aws ssm get-parameters \
--name "the-name-that-you-specified" \
--with-decryption
```
------
#### [ Windows ]
```
aws ssm get-parameters ^
--name "the-name-that-you-specified" ^
--with-decryption
```
------
1. Run the following command to view the parameter value history.
------
#### [ Linux & macOS ]
```
aws ssm get-parameter-history \
--name "the-name-that-you-specified"
```
------
#### [ Windows ]
```
aws ssm get-parameter-history ^
--name "the-name-that-you-specified"
```
------
**Note**
You can manually create a parameter with an encrypted value. In this case, because the value is already encrypted, you don’t have to choose the `SecureString` parameter type. If you do choose `SecureString`, your parameter is doubly encrypted.
By default, all `SecureString` values are displayed as cipher-text. To decrypt a `SecureString` value, a user must have permission to call the AWS KMS [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) API operation. For information about configuring AWS KMS access control, see [Authentication and Access Control for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html) in the *AWS Key Management Service Developer Guide*.
**Important**
If you change the KMS key alias for the KMS key used to encrypt a parameter, then you must also update the key alias the parameter uses to reference AWS KMS. This only applies to the KMS key alias; the key ID that an alias attaches to stays the same unless you delete the whole key.
## Creating a multi-line parameter using the AWS CLI
You can use the AWS CLI to create a parameter with line breaks. Use line breaks to break up the text in longer parameter values for better legibility or, for example, update multi-paragraph parameter content for a web page. You can include the content in a JSON file and use the `--cli-input-json` option, using line break characters like `\n`, as shown in the following example.
1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already.
For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
1. Run the following command to create a multi-line parameter.
------
#### [ Linux & macOS ]
```
aws ssm put-parameter \
--name "MultiLineParameter" \
--type String \
--cli-input-json file://MultiLineParameter.json
```
------
#### [ Windows ]
```
aws ssm put-parameter ^
--name "MultiLineParameter" ^
--type String ^
--cli-input-json file://MultiLineParameter.json
```
------
The following example shows the contents of the file `MultiLineParameter.json`.
```
{
"Value": "Paragraph One\nParagraph Two\nParagraph Three"
}
```
The saved parameter value is stored as follows.
```
Paragraph One
Paragraph Two
Paragraph Three
```
# Creating a Parameter Store parameter using Tools for Windows PowerShell
You can use AWS Tools for Windows PowerShell to create `String`, `StringList`, and `SecureString` parameter types. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
Parameters can't be referenced or nested in the values of other parameters. You can't include `{{}}` or `{{ssm:parameter-name}}` in a parameter value.
**Note**
Parameters are only available in the AWS Region where they were created.
**Topics**
+ [Creating a String parameter (Tools for Windows PowerShell)](#param-create-ps-string)
+ [Creating a StringList parameter (Tools for Windows PowerShell)](#param-create-ps-stringlist)
+ [Creating a SecureString parameter (Tools for Windows PowerShell)](#param-create-ps-securestring)
## Creating a String parameter (Tools for Windows PowerShell)
1. Install and configure the AWS Tools for PowerShell (Tools for Windows PowerShell), if you haven't already.
For information, see [Installing the AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up.html).
1. Run the following command to create a parameter that contains a plain text value. Replace each *example resource placeholder* with your own information.
```
Write-SSMParameter `
-Name "parameter-name" `
-Value "parameter-value" `
-Type "String"
```
-or-
Run the following command to create a parameter that contains an Amazon Machine Image (AMI) ID as the parameter value.
**Note**
To create a parameter with a tag, create the service.model.tag before hand as a variable. Here is an example.
```
$tag = New-Object Amazon.SimpleSystemsManagement.Model.Tag
$tag.Key = "tag-key"
$tag.Value = "tag-value"
```
```
Write-SSMParameter `
-Name "parameter-name" `
-Value "an-AMI-id" `
-Type "String" `
-DataType "aws:ec2:image" `
-Tags $tag
```
The `-DataType` option must be specified only if you are creating a parameter that contains an AMI ID. For all other parameters, the default data type is `text`. For more information, see [Using native parameter support in Parameter Store for Amazon Machine Image IDs](parameter-store-ec2-aliases.md).
Here is an example that uses a parameter hierarchy.
```
Write-SSMParameter `
-Name "/IAD/Web/SQL/IPaddress" `
-Value "99.99.99.999" `
-Type "String" `
-Tags $tag
```
1. Run the following command to verify the details of the parameter.
```
(Get-SSMParameterValue -Name "the-parameter-name-you-specified").Parameters
```
## Creating a StringList parameter (Tools for Windows PowerShell)
1. Install and configure the AWS Tools for PowerShell (Tools for Windows PowerShell), if you haven't already.
For information, see [Installing the AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up.html).
1. Run the following command to create a StringList parameter. Replace each *example resource placeholder* with your own information.
**Note**
To create a parameter with a tag, create the service.model.tag before hand as a variable. Here is an example.
```
$tag = New-Object Amazon.SimpleSystemsManagement.Model.Tag
$tag.Key = "tag-key"
$tag.Value = "tag-value"
```
```
Write-SSMParameter `
-Name "parameter-name" `
-Value "a-comma-separated-list-of-values" `
-Type "StringList" `
-Tags $tag
```
If successful, the command returns the version number of the parameter.
Here is an example.
```
Write-SSMParameter `
-Name "stringlist-parameter" `
-Value "Milana,Mariana,Mark,Miguel" `
-Type "StringList" `
-Tags $tag
```
**Note**
Items in a `StringList` must be separated by a comma (,). You can't use other punctuation or special characters to escape items in the list. If you have a parameter value that requires a comma, then use the `String` type.
1. Run the following command to verify the details of the parameter.
```
(Get-SSMParameterValue -Name "the-parameter-name-you-specified").Parameters
```
## Creating a SecureString parameter (Tools for Windows PowerShell)
Before you create a `SecureString` parameter, read about the requirements for this type of parameter. For more information, see [Creating a SecureString parameter using the AWS CLI](param-create-cli.md#param-create-cli-securestring).
**Important**
Only the *value* of a `SecureString` parameter is encrypted. Parameter names, descriptions, and other properties aren't encrypted.
**Important**
Parameter Store only supports [symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html#symmetric-cmks). You can't use an [asymmetric encryption KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) to encrypt your parameters. For help determining whether a KMS key is symmetric or asymmetric, see [Identifying symmetric and asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) in the *AWS Key Management Service Developer Guide*
1. Install and configure the AWS Tools for PowerShell (Tools for Windows PowerShell), if you haven't already.
For information, see [Installing the AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up.html).
1. Run the following command to create a parameter. Replace each *example resource placeholder* with your own information.
**Note**
To create a parameter with a tag, first create the service.model.tag as a variable. Here is an example.
```
$tag = New-Object Amazon.SimpleSystemsManagement.Model.Tag
$tag.Key = "tag-key"
$tag.Value = "tag-value"
```
```
Write-SSMParameter `
-Name "parameter-name" `
-Value "parameter-value" `
-Type "SecureString" `
-KeyId "an AWS KMS key ID, an AWS KMS key ARN, an alias name, or an alias ARN" `
-Tags $tag
```
If successful, the command returns the version number of the parameter.
**Note**
To use the AWS managed key assigned to your account, remove the `-KeyId` parameter from the command.
Here is an example that uses an obfuscated name (3l3vat3131) for a password parameter and an AWS managed key.
```
Write-SSMParameter `
-Name "/Finance/Payroll/3l3vat3131" `
-Value "P@sSwW)rd" `
-Type "SecureString"`
-Tags $tag
```
1. Run the following command to verify the details of the parameter.
```
(Get-SSMParameterValue -Name "the-parameter-name-you-specified" –WithDecryption $true).Parameters
```
By default, all `SecureString` values are displayed as cipher-text. To decrypt a `SecureString` value, a user must have permission to call the AWS KMS [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) API operation. For information about configuring AWS KMS access control, see [Authentication and Access Control for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html) in the *AWS Key Management Service Developer Guide*.
**Important**
If you change the KMS key alias for the KMS key used to encrypt a parameter, then you must also update the key alias the parameter uses to reference AWS KMS. This only applies to the KMS key alias; the key ID that an alias attaches to stays the same unless you delete the whole key.