Here’s a small “pro-tip” I discovered this morning regarding SSM parameters and an IAM policy document that grants access to them if they all have the same name but exist in multiple regions.

The traditional way to allow an AWS service to access an SSM parameter in a given region is to write an IAM policy document like this (this is in YAML):

Effect: Allow
Action:
    - SSM:GetParameter
Resource:
    - arn:aws:ssm:{region}:{account}:parameter/your/parameter/here

But let’s say you have a service in an AWS region that needs to access SSM parameters in different regions. All these SSM parameters have the same name but different values in different regions. You don’t know which regions these will be in advanced — say that the SSM parameter value is set in a different stack that you’d want to deploy in another region without needing to modifying the IAM policy.

I discovered this morning that it’s possible to replace the region with an asterisk (*) in the resource ARN within the IAM policy document, thereby granting access to this named SSM parameter in all regions. Such a policy document would then look like the following:

Effect: Allow
Action:
    - SSM:GetParameter
Resource:
    - arn:aws:ssm:*:{account}:parameter/your/parameter/here

Only downside of this approach would be that it violates the principal of least privilege, which may be a fair enough compromise if your goal is to reduce the number of downstream changes you’d like to make when deploying separate stacks. This tolerance level might be different for you depending on the team your working on.