Leveraging AWS RAM and SSM Parameter Store for Cross-Account Sharing with Shared Parameters

Managing configuration data across multiple AWS accounts has traditionally been challenging. Previously, creating a Parameter Store for each account, even for identical values, meant dealing with duplication of effort, maintaining consistency, and managing updates across accounts. Each account required manual entry of parameters,

which was not only time-consuming but also prone to errors. Ensuring that all accounts had the same values added complexity and increased the risk of discrepancies.

AWS Systems Manager Parameter Store integrates with AWS Resource Access Manager (AWS RAM) to enable this advanced parameter sharing. AWS RAM allows you to create a resource share, specifying which resources to share, the permissions to grant, and the consumers to include.

This integration makes parameter management more efficient and consistent across multiple accounts.

Consumers can be specific

• AWS accounts,

• organizational units,

• entire organization within AWS Organizations.

Prerequisites for Sharing Parameters

• Ownership: You must own the parameter in your AWS account. Shared parameters cannot be re-shared.

• Advanced Parameter Tier: Only parameters in the advanced tier can be shared. See "Managing parameter tiers" for details on upgrading standard parameters.

• SecureString Parameters: Must be encrypted with a customer-managed key, which needs to be shared separately via AWS Key Management Service (KMS). AWS managed keys cannot be shared. Update parameters encrypted with default AWS managed keys to use a customer-managed key.

• AWS Organizations: To share parameters with your organization or an organizational unit, enable sharing with AWS Organizations. Refer to "Enable Sharing with AWS Organizations" in the AWS RAM User Guide for more details.

1) First, create a Parameter Store entry using the advanced tier and provide the necessary value. Once this is done, proceed with the remaining steps.

2) Navigate to RAM(Resource Access Manager) service and then click on Create Resource Share

3) On the create share page, enter a name, choose "Parameter Store Advanced Parameter," and check the box for each advanced parameter you want to share.

4) When creating a resource share in AWS RAM, you can grant read-only access using one of two AWS managed permission sets:

• AWSRAMDefaultPermissionSSMParameterReadOnly: Allows DescribeParameters, GetParameter, GetParameters.

• AWSRAMPermissionSSMParameterReadOnlyWithHistory: Allows DescribeParameters, GetParameter, GetParameters, GetParameterHistory.

Enter the principal value based on your selection: for an account, provide the account number; for an IAM user or role, provide the appropriate ARN; for an organization, provide the organization ID,

If you want to restrict sharing within your organization, check the corresponding box. Click "Next" to proceed. On the final page, review the principal type and value, then click "Create resource share."

5) Accessing shared parameter details with AWS CLI utilize the get-parameter or get-parameters commands. Specify the full parameter ARN as the --name to access parameters from another account.

Example:

aws ssm get-parameter --name arn:aws:ssm:us-east-2:123456789012:parameter/MySharedParameter

6) Stop or Deleting the sharing of the resource

Ceasing the sharing of a shared parameter revokes access for the consumer account.

To discontinue sharing a parameter you own, remove it from the resource share. This can be accomplished through the Systems Manager console, AWS RAM console, or AWS CLI.

conclusion

In conclusion, the combination of AWS RAM and SSM Advanced Parameters streamlines configuration data management across AWS accounts. Shared parameters through AWS SSM Parameter Store enhance efficiency and consistency.