SSM Parameter Store Hierarchy
Overview
Centralized configuration management using AWS Systems Manager Parameter Store with production values and secure string encryption for sensitive data.
SIMPLIFIED: This hierarchy has been significantly reduced to include only parameters that are actually used by the application. All unused parameters have been removed to reduce complexity and maintenance overhead.
Parameter Hierarchy Structure (Only Used Parameters)
/bedrock-budgeteer/production/
├── cost/
│ └── budget_refresh_period_days
└── monitoring/
└── log_retention_days
/bedrock-budgeteer/global/
├── thresholds_percent_warn
├── thresholds_percent_critical
├── default_user_budget_usd
├── grace_period_seconds
├── api_key_pool_budget_usd
├── budget_tier_low_usd
├── budget_tier_medium_usd
├── budget_tier_high_usd
├── api_key_global_cap_usd
└── agentcore/
├── global_budget_limit_usd
├── grace_period_seconds
├── warning_threshold_percent
├── critical_threshold_percent
└── default_per_agent_budget_usd
Parameter Details
1. Cost Configuration (Environment-Specific)
Path: /bedrock-budgeteer/production/cost/
| Parameter | Type | Value | Description | Used By |
|---|---|---|---|---|
budget_refresh_period_days | String | 30 | Budget refresh period in days | User setup & usage calculator Lambdas |
2. Monitoring Configuration (Environment-Specific)
Path: /bedrock-budgeteer/production/monitoring/
| Parameter | Type | Value | Description | Used By |
|---|---|---|---|---|
log_retention_days | String | 7 | CloudWatch log group retention period in days | All CloudWatch log groups (Lambda functions, Step Functions, Bedrock logs) |
3. Global Configuration
Path: /bedrock-budgeteer/global/
| Parameter | Type | Value | Description | Used By |
|---|---|---|---|---|
thresholds_percent_warn | String | 70 | Budget warning threshold percentage | ConfigurationManager in Lambdas |
thresholds_percent_critical | String | 90 | Budget critical threshold percentage | ConfigurationManager in Lambdas |
default_user_budget_usd | String | 1 | Default budget limit for users in USD | User setup and usage calculator Lambdas |
grace_period_seconds | String | 300 | Grace period in seconds before suspending users who exceed budget | Budget monitor and suspension workflows |
4. AgentCore Configuration (Global)
Path: /bedrock-budgeteer/global/agentcore/
Requires the enable_agentcore_budgeting feature flag in cdk.json.
| Parameter | Type | Value | Description | Used By |
|---|---|---|---|---|
global_budget_limit_usd | String | 500 | Global budget limit for all AgentCore agents in USD | AgentCore budget monitor and budget manager Lambdas |
grace_period_seconds | String | 3600 | Grace period in seconds before suspending agents that exceed budget | AgentCore budget monitor and suspension workflows |
warning_threshold_percent | String | 75 | AgentCore budget warning threshold percentage | AgentCore budget monitor Lambda |
critical_threshold_percent | String | 90 | AgentCore budget critical threshold percentage | AgentCore budget monitor Lambda |
default_per_agent_budget_usd | String | none | Default per-agent budget limit in USD; “none” means no per-agent limit (global budget applies) | AgentCore usage calculator and budget manager Lambdas |
5. Key Provisioning Configuration (Global)
Path: /bedrock-budgeteer/global/
Requires the enable_key_provisioning feature flag in cdk.json.
| Parameter | Type | Value | Description | Used By |
|---|---|---|---|---|
api_key_pool_budget_usd | String | 500 | Global budget pool shared by all unbudgeted (rogue) API keys in USD | Budget monitor Lambda |
budget_tier_low_usd | String | 1 | Budget limit for low-tier CDK-provisioned API keys in USD | User setup Lambda |
budget_tier_medium_usd | String | 5 | Budget limit for medium-tier CDK-provisioned API keys in USD | User setup Lambda |
budget_tier_high_usd | String | 25 | Budget limit for high-tier CDK-provisioned API keys in USD | User setup Lambda |
api_key_global_cap_usd | String | 1000 | Global cap guardrail across all API keys (budgeted + unbudgeted) in USD | Budget monitor Lambda |
Parameter Types
Standard String Parameters
- Usage: All parameters are standard string parameters
- Encryption: None (no sensitive data in these parameters)
- Cost: $0.05 per 10,000 requests
Access Patterns
Lambda Function Access
import boto3
import os
def get_parameter(parameter_name: str, decrypt: bool = False) -> str:
"""Get parameter value from SSM Parameter Store"""
ssm = boto3.client('ssm')
response = ssm.get_parameter(
Name=parameter_name,
WithDecryption=decrypt
)
return response['Parameter']['Value']
# Usage in Lambda function
budget_limit = get_parameter(
'/bedrock-budgeteer/production/cost/budget_refresh_period_days'
)
# Global parameters
CDK Reference Access
# In CDK constructs
budget_limit = ssm.StringParameter.value_for_string_parameter(
self, '/bedrock-budgeteer/production/cost/budget_refresh_period_days'
)
# Use in Lambda environment variables
lambda_function = lambda_.Function(
self, "BudgetMonitor",
environment={
'BUDGET_LIMIT': budget_limit,
'ENVIRONMENT': 'production'
}
)
IAM Permissions
Read-Only Access (Lambda Functions)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/bedrock-budgeteer/*"
]
}
]
}
Management Examples
Setting Parameters via CLI
# Set budget refresh period to 30 days (default)
aws ssm put-parameter \
--name "/bedrock-budgeteer/production/cost/budget_refresh_period_days" \
--value "30" \
--type "String" \
--overwrite
# Set to 7 days for weekly refresh
aws ssm put-parameter \
--name "/bedrock-budgeteer/production/cost/budget_refresh_period_days" \
--value "7" \
--type "String" \
--overwrite
# Warning at 60%, Critical at 85%
aws ssm put-parameter \
--name "/bedrock-budgeteer/global/thresholds_percent_warn" \
--value "60" \
--type "String" \
--overwrite
aws ssm put-parameter \
--name "/bedrock-budgeteer/global/thresholds_percent_critical" \
--value "85" \
--type "String" \
--overwrite
# Set API key pool budget to $300
aws ssm put-parameter \
--name "/bedrock-budgeteer/global/api_key_pool_budget_usd" \
--value "300" \
--type "String" \
--overwrite
# Set global cap guardrail to $800
aws ssm put-parameter \
--name "/bedrock-budgeteer/global/api_key_global_cap_usd" \
--value "800" \
--type "String" \
--overwrite
Removed Parameters
The following parameter categories were removed as they were not used by any Lambda functions or constructs:
- Application Config:
name,version,log_level,region - Security Config:
encryption_enabled,session_timeout,max_budget_amount,api_rate_limit - Monitoring Config:
error_threshold,latency_threshold,dashboard_refresh,log_retention_days - Integration Config:
bedrock_region,pricing_api_region,cloudtrail_enabled,notification_channels - Most Cost Config:
default_budget_limit,budget_alert_thresholds,cost_calculation_interval,suspension_threshold,grace_period_hours - All Workflow Config: All 8 workflow parameters were unused
- Some Global Config:
anomaly_detection_enabled,default_service_budget_usd,admin_emails
This simplification reduces the parameter count from ~50 to 9 parameters, making the system much easier to manage and understand.