AWS Systems Manager Parameter Store
Parameter Store is a centralized configuration data store for named values called parameters. A parameter is any piece of data stored in Parameter Store, such as a block of text, a list of names, an AMI ID, a license key, and so on. With Parameter Store, you can securely store, organize, and retrieve configuration data at scale.
Parameter Store simplifies configuration management across environments. You can standardize how applications access critical data at runtime without hardcoding values or relying on fragmented storage solutions. In this way, you maintain consistency, enforce governance, and build more secure and maintainable systems.
Parameter Store supports the following parameter types:
-
StringUse this type for plain text values, such as environment names, endpoint URLs, or resource identifiers.
-
StringListUse this type for a comma-separated list of plain-text values. For example, you could store the value
subnet-123abc,subnet-456def,subnet-789ghi. -
SecureStringUse
SecureStringfor configuration values that require encryption, such as service endpoints and account identifiers. For secrets such as database credentials, API keys, or tokens, we recommend AWS Secrets Manager, which provides purpose built security controls including automatic rotation and cross-region replication.Parameter Store encrypts the values using AWS Key Management Service.
For more information about parameter types, see Parameter Store reference.
Where should I store my application data?
Use the following table to choose a service for your application data.
Note
If you manage credentials such as usernames, passwords, or any other secrets, we recommend using AWS Secrets Manager. Secrets Manager is purpose-built for managing secrets such as database credentials, API keys, and supported third-party software-vended secrets. For more information, see What is AWS Secrets Manager? in the AWS Secrets Manager User Guide.
| Feature | Parameter Store | AWS AppConfig | AWS Secrets Manager |
|---|---|---|---|
|
Use cases |
|
|
|
|
Typical data |
|
|
|
|
Encryption |
Optional with |
AWS managed encryption at rest; optional additional customer managed key |
AWS KMS encryption at rest with an AWS managed or customer managed key |
|
Credential rotation |
None |
Not applicable |
Automatic, with native database integrations |
|
Cost |
Standard tier free; advanced tier and higher throughput billed |
Billed per configuration request |
Billed per secret per month and per API call |
|
Deployment |
Versioning without pre-deployment validation or automatic rollback |
Gradual rollout, pre-deployment validation, and automatic rollback on CloudWatch Logs alarms |
Versioning with staging labels |
Parameter Store features
Parameter Store supports the following features:
-
Centralized configuration updates
Update your configuration without code changes or redeployments, improving operational agility and reducing risk. For example, you can update /myapp/prod/inventory-service-endpoint to point to a new endpoint after migrating the inventory service.
-
High-performance throughput option
Parameter Store provides a default throughput suitable for lower-scale workloads. For large or latency-sensitive applications that need higher request rates, you can enable high-throughput mode for an additional cost.
If your application retrieves parameters frequently or at scale, evaluate throughput settings early to avoid throttling. For information about enabling high throughput, see Managing Parameter Store throughput.
-
Hierarchical parameter management
Use parameter hierarchies to group related parameters, making it easier to discover, manage, and filter them across environments and applications. For example, you can create the naming convention /env/computer-type/app/data, and then create application-specific parameters such as /dev/webserver/linux/approved-ami and /dev/webserver/windows/approved-ami. You can retrieve the path /dev/webserver to find all web server parameters for development environments, or /dev/webserver/linux to find only Linux image parameters.
-
Versioning
Parameter Store retains the 100 most recent versions of each parameter. When you investigate operational issues, you can review and reconstruct previous values.
-
Integration with IAM
Use IAM policies to determine whether an application can read, write, list, or delete parameters. For example, you could write an application role that can read parameters prefixed with /myapp/prod/* but not /myapp/dev/*. You could also grant a role permission to decrypt an encrypted parameter.
-
Accessibility from other AWS services
You can reference parameter values from other AWS services. Here are some examples:
-
Lambda functions can retrieve parameters and secrets using the Parameters and Secrets Lambda Extension.
-
Amazon Elastic Container Service and AWS Fargate allow you to inject environmental variables whose values are managed centrally in Parameter Store.
-
AWS CloudFormation templates can reference parameter values.
-
AWS AppConfig enables you to create configuration profiles that reference parameters, allowing you to safely deploy configuration changes using features such as gradual rollouts, alarm-based rollbacks, and built-in data validation.
-
AWS CodeBuild enables you to define environmental variables whose values are dynamically retrieved from Parameter Store at build time.
-
-
Shared account access
Centralize configuration data in a single AWS account and share parameters with other accounts that need access. For more information, see Working with shared parameters in Parameter Store.
-
OS patching
Amazon EC2 lets you specify the operating system for new instances by referencing a parameter instead of hardcoding an AMI (AMI) ID. This approach ensures your instances automatically use the latest patched and updated images. AWS and operating system vendors provide public parameters that track current AMI versions, so you don't have to manage updates manually. You can also define your own parameters to reference a centrally managed golden AMI, making it easier to enforce consistent, approved configurations across your organization.
-
Events and notifications
Automate workflows in Parameter Store by subscribing to parameter change events. You can also use change events to enforce expiration and receive notifications when a parameter hasn't been rotated within a specified timeframe.
Parameter tiers in Parameter Store
Parameter Store offers different parameter tiers that control storage limits: the maximum number and size of your parameters in an AWS account and Region. Configure each parameter individually to use either the standard tier or advanced tier.
You can mix standard and advanced parameters. For example, you can have up to 100,000 advanced parameters and 10,000 standard parameters in the same AWS account and Region. The following table describes the different features supported for each parameter type.
The following table describes the differences between parameter tiers.
| Feature or use case | Standard | Advanced |
|---|---|---|
|
Use case |
Best for most configuration data and low-scale workloads. This is the default. |
Best when you need higher limits, larger values, or parameter policies. |
|
Maximum parameters (per AWS account and AWS Region) |
10,000 |
100,000 |
|
Maximum value size |
4 KB |
8 KB |
|
Parameter policies |
Not supported |
Supported For more information, see Assigning parameter policies in Parameter Store. |
|
Shareability across AWS accounts |
Not supported |
Supported For more information, see Working with shared parameters in Parameter Store. |
|
Upgrade and downgrade capability |
Upgradeable |
Not downgradeable |
|
Cost |
No additional charge |
Charges apply For more information, see AWS Systems Manager
Pricing for Parameter Store |
Use standard parameters for most configuration data. Use advanced parameters only when you need capabilities that standard parameters don't support.
For a detailed comparison of standard and advanced parameters, see Choosing parameter tiers.