AWS Certified Security - Specialty Exam: IAM Policies for Systems Manager Parameters Retrieval

IAM Policies for Systems Manager Parameters Retrieval

Prev Question Next Question

Question

Your development team is planning to use the Systems Manager to store parameters.

These parameters will be encrypted using the Key Management service.

You need to define the IAM policies in IAM roles to ensure that the parameters are retrieved successfully.

Which of the following permissions would you need to include in the IAM policy? (Select TWO.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and C.

This is mentioned in the AWS Documentation.

Option A is CORRECT because the ssm:GetParameter action is required to get the parameters from SSM Parameter Store.

Option B is incorrect because the ssm:PutParameter action is used to create a new parameter, which is not required in this scenario.

Option C is CORRECT because the kms:Decrypt action is required so that the encrypted parameters can be retrieved successfully from the SSM Parameter Store.

Option D is incorrect because the kms:Encrypt action is not used when you try to retrieve an encrypted parameter from SSM Parameter Store.

For more information on KMS and the parameter store, please visit the below URL.

https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
The following example shows an IAM policy that allows the user to call the Systems Manager GetParameter operation on all parameters in the /ReadableParameters path. The policy also allows the user to call the AWS KMS Decrypt operation on the specified customer managed CMK. ag { "Version": "2012-10-17", “Statement”: [ { "Effect": "Allow", "Action": [ "ssm:GetParameter*" 1, "Resource": “arn:aws:ssm:us-west-2:111122223333: /parameter/ReadableParameters/*" Lb { "Effect": "Allow", "Action": [ “kms : Decrypt” 1, "Resource": “arn:aws:kms:us-west-2:111122223333: key/1234abcd-12ab-34cd-56ef-1234567890ab" }

Sure, I'll be happy to explain!

To store parameters securely in the Systems Manager Parameter Store, your development team is planning to encrypt them using the Key Management Service (KMS). To ensure that the parameters can be retrieved successfully, you need to define the IAM policies in IAM roles. Specifically, you need to include the following two permissions in the IAM policy:

  1. Allow the ssm:GetParameter action for the parameters: This permission allows the IAM role to retrieve the encrypted parameters from the Systems Manager Parameter Store. Without this permission, the IAM role won't be able to read the encrypted parameters.

  2. Allow the kms:Decrypt action for the KMS CMK used by the parameters: This permission allows the IAM role to decrypt the encrypted parameters using the KMS customer master key (CMK). The KMS CMK is used to encrypt the parameters stored in the Systems Manager Parameter Store. Without this permission, the IAM role won't be able to decrypt the encrypted parameters.

So, to summarize, you need to include the ssm:GetParameter and kms:Decrypt permissions in the IAM policy for the IAM role that will retrieve the encrypted parameters from the Systems Manager Parameter Store.

On the other hand, ssm:PutParameter and kms:Encrypt permissions are related to adding new parameters to the Parameter Store or encrypting new parameters respectively, and are not necessary for retrieving encrypted parameters.

Prev Question Next Question