Your development team is planning to use the Systems Manager to store parameters. These parameters will be encrypted using the Key Management service. You need to define the IAM policies in IAM roles to ensure that the parameters are retrieved successfully. Which of the following permissions would you need to include in the IAM policy? (Select TWO.)

Answer options:

A.Allow the ssm:GetParameter action for the parameters.
B.Allow the ssm:PutParameter action for the SSM Parameter Store resource.
C.Allow the kms:Decrypt action for the KMS CMK used by the parameters.
D.Allow the kms:Encrypt action for the KMS CMK used by the parameters.

Answer – A and C
This is mentioned in the AWS Documentation.
Option A is CORRECT because the ssm:GetParameter action is required to get the parameters from SSM Parameter Store.
Option B is incorrect because the ssm:PutParameter action is used to create a new parameter, which is not required in this scenario.
Option C is CORRECT because the kms:Decrypt action is required so that the encrypted parameters can be retrieved successfully from the SSM Parameter Store.
Option D is incorrect because the kms:Encrypt action is not used when you try to retrieve an encrypted parameter from SSM Parameter Store.
For more information on KMS and the parameter store, please visit the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html