![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![[FREE EBOOKS] Machine Learning Hero, AI-Assisted Programming for Web and Machine Learning & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What’s new in Android’s April 2025 Google System Updates [U: 4/18]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
How to share SSM Parameters across AWS accounts easily
Managing configuration settings for multiple AWS accounts might seem overwhelming but it’s actually easy using AWS Systems Manager (SSM) Parameter Store. You can keep all your configuration data in one place and share it safely with other accounts using AWS Resource Access Manager (RAM). What are Shared Parameters? Think of shared parameters as a way to avoid the hassle of duplicating configuration data across accounts. Instead of managing the same values separately, you store them centrally in AWS Parameter Store and share them with other accounts that need access. It’s efficient, secure and saves you time. AWS RAM makes it even easier by letting you: Pick what to share (like an SSM parameter). Decide who gets access (specific accounts, groups or entire AWS Organizations). Set permissions (read-only access). I began using SSM Parameters to solve a challenge with Route 53 NS entries for DNS delegation between AWS accounts. One account kept recreating its Route 53 zone files via IaC, causing the NS values to change frequently. To automate fetching the updated values and keep DNS delegation intact, I turned to shared parameters in SSM Parameter Store and it was the perfect solution. Before you start - what you need Advanced Tier parameters only: You can only share Advanced Tier parameters, not Standard ones. Encryption for SecureString: If the parameter is encrypted, it must use a customer-managed KMS key. AWS-managed keys won’t work, so make sure to share the KMS key separately. AWS Organizations Enabled: If you’re sharing within an AWS Organization, ensure sharing is enabled in AWS RAM. Step-by-step example: sharing and accessing a Parameter Step 1: Create the Parameter in the Source Account In the source account, create an Advanced Tier parameter in AWS Systems Manager Parameter Store. You can do this via the console, CLI or SDKs. Important: Standard parameters cannot be shared between accounts, so make sure the parameter is Advanced Tier Step 2: Share the Parameter with AWS RAM Run the following command in the source account to share the parameter with the target account: aws ram create-resource-share \ --name "MyParameter" \ --resource-arns "arn:aws:ssm:REGION:SOURCE_ACCOUNT_ID:parameter/NAME_OF_PARAMETER" \ --principals "TARGET_ACCOUNT_ID" Replace the placeholders as follows: REGION: The AWS region where the parameter exists. SOURCE_ACCOUNT_ID: The ID of the AWS account where the parameter exists. NAME_OF_PARAMETER: The name of the parameter you want to share. TARGET_ACCOUNT_ID: The ID of the AWS account you’re sharing the parameter with. Step 3: Accept the Share in the Target Account Now, log in to the target account (the account you shared the parameter with). Here’s what you need to do: Open the AWS RAM Console. Go to the Pending Invites section. Find the invite for the resource share and click Accept. Note: This step is essential. The target account won’t be able to access the parameter until the invitation is accepted. Step 4: Find the ARN of the Shared Parameter In the target account, use the following command to get a list of shared resources: aws ram list-resources --resource-owner OTHER-ACCOUNTS This command will return a list of shared resources, including the ARN of the shared parameter. Look for the ARN of the parameter. It will look something like this: arn:aws:ssm:REGION:SOURCE_ACCOUNT_ID:parameter/NAME_OF_PARAMETER Important: The aws ssm describe-parameters --shared command will not work for shared parameters, so always use aws ram list-resources. Step 5: Retrieve the Parameter Value Now that you have the ARN of the shared parameter, you can use it to retrieve the parameter value. Run this command: aws ssm get-parameter --name ARN_OF_SSM_PARAMETER If the parameter is encrypted as a SecureString, you’ll need to include the --with-decryption flag: aws ssm get-parameter \ --name ARN_OF_SSM_PARAMETER \ --with-decryption Replace ARN_OF_SSM_PARAMETER with the ARN you identified in Step 4. Points to keep in mind Sharing SecureString Parameters: If the parameter is encrypted with a SecureString, make sure the KMS key used to encrypt the parameter is also shared with the target account. You can refer to this guide to learn how to share a KMS key with another account. Using the right CLI commands: The aws ram list-resources command is the best way to find the ARN of a shared parameter. Other commands like aws ssm describe-parameters --shared may not work as expected. Who can use Shared Parameters? When you share a parameter, the target account gets read-only access. This means they can: View the current value of the parameter. Access historical values (if allowed by permissions). They cannot update, delete or re-share the parameter. Works great with: CloudFo
Managing configuration settings for multiple AWS accounts might seem overwhelming but it’s actually easy using AWS Systems Manager (SSM) Parameter Store. You can keep all your configuration data in one place and share it safely with other accounts using AWS Resource Access Manager (RAM).
What are Shared Parameters?
Think of shared parameters as a way to avoid the hassle of duplicating configuration data across accounts. Instead of managing the same values separately, you store them centrally in AWS Parameter Store and share them with other accounts that need access. It’s efficient, secure and saves you time.
AWS RAM makes it even easier by letting you:
- Pick what to share (like an SSM parameter).
- Decide who gets access (specific accounts, groups or entire AWS Organizations).
- Set permissions (read-only access).
I began using SSM Parameters to solve a challenge with Route 53 NS entries for DNS delegation between AWS accounts. One account kept recreating its Route 53 zone files via IaC, causing the NS values to change frequently. To automate fetching the updated values and keep DNS delegation intact, I turned to shared parameters in SSM Parameter Store and it was the perfect solution.
Before you start - what you need
- Advanced Tier parameters only: You can only share Advanced Tier parameters, not Standard ones.
- Encryption for SecureString: If the parameter is encrypted, it must use a customer-managed KMS key. AWS-managed keys won’t work, so make sure to share the KMS key separately.
- AWS Organizations Enabled: If you’re sharing within an AWS Organization, ensure sharing is enabled in AWS RAM.
Step-by-step example: sharing and accessing a Parameter
Step 1: Create the Parameter in the Source Account
In the source account, create an Advanced Tier parameter in AWS Systems Manager Parameter Store. You can do this via the console, CLI or SDKs.
Important: Standard parameters cannot be shared between accounts, so make sure the parameter is Advanced Tier
Step 2: Share the Parameter with AWS RAM
Run the following command in the source account to share the parameter with the target account:
aws ram create-resource-share \
--name "MyParameter" \
--resource-arns "arn:aws:ssm:REGION:SOURCE_ACCOUNT_ID:parameter/NAME_OF_PARAMETER" \
--principals "TARGET_ACCOUNT_ID"
Replace the placeholders as follows:
- REGION: The AWS region where the parameter exists.
- SOURCE_ACCOUNT_ID: The ID of the AWS account where the parameter exists.
- NAME_OF_PARAMETER: The name of the parameter you want to share.
- TARGET_ACCOUNT_ID: The ID of the AWS account you’re sharing the parameter with.
Step 3: Accept the Share in the Target Account
Now, log in to the target account (the account you shared the parameter with). Here’s what you need to do:
- Open the AWS RAM Console.
- Go to the Pending Invites section.
- Find the invite for the resource share and click Accept.
Note: This step is essential. The target account won’t be able to access the parameter until the invitation is accepted.
Step 4: Find the ARN of the Shared Parameter
In the target account, use the following command to get a list of shared resources:
aws ram list-resources --resource-owner OTHER-ACCOUNTS
This command will return a list of shared resources, including the ARN of the shared parameter. Look for the ARN of the parameter. It will look something like this:
arn:aws:ssm:REGION:SOURCE_ACCOUNT_ID:parameter/NAME_OF_PARAMETER
Important: The aws ssm describe-parameters --shared command will not work for shared parameters, so always use aws ram list-resources.
Step 5: Retrieve the Parameter Value
Now that you have the ARN of the shared parameter, you can use it to retrieve the parameter value. Run this command:
aws ssm get-parameter --name ARN_OF_SSM_PARAMETER
If the parameter is encrypted as a SecureString, you’ll need to include the --with-decryption flag:
aws ssm get-parameter \
--name ARN_OF_SSM_PARAMETER \
--with-decryption
Replace ARN_OF_SSM_PARAMETER with the ARN you identified in Step 4.
Points to keep in mind
Sharing SecureString Parameters:
If the parameter is encrypted with a SecureString, make sure the KMS key used to encrypt the parameter is also shared with the target account. You can refer to this guide to learn how to share a KMS key with another account.
Using the right CLI commands:
The aws ram list-resources command is the best way to find the ARN of a shared parameter. Other commands like aws ssm describe-parameters --shared may not work as expected.
Who can use Shared Parameters?
When you share a parameter, the target account gets read-only access. This means they can:
- View the current value of the parameter.
- Access historical values (if allowed by permissions).
They cannot update, delete or re-share the parameter.
Works great with:
- CloudFormation templates.
- AWS Lambda extensions for Parameters and Secrets.
- EC2 launch templates and AMI configurations.
- Systems Manager Automation runbooks.
Doesn’t work with:
- Run Command in Systems Manager.
- CloudFormation dynamic references.
- Environment variables in CodeBuild or App Runner.
- Secrets in ECS.
How Much Does It Cost?
- Source Account (Owner): pays for parameter storage (e.g., $0.05/month per Advanced Tier parameter).
- Target Account (Consumer): pays for API calls to access the shared parameter (e.g., $0.05 for 10,000 API requests).
Both accounts have independent usage limits, so one account’s usage won’t impact the other.
Sharing parameters in AWS Parameter Store is an easy way to manage configurations securely and save time. Learn more from the AWS documentation
