diff --git a/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py b/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py
index ba7a590..5c2643f 100644
--- a/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py
+++ b/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py
@@ -118,6 +118,12 @@
 
 SNS_FULL_ACCESS_ACTIONS = ["sns:*"]
 
+SSM_READ_ACTIONS = [
+    "ssm:GetParameter",
+    "ssm:GetParameters",
+    "ssm:GetParametersByPath",
+]
+
 
 def batch_policy_statement(
     env_base: Optional[EnvBase] = None,
@@ -229,7 +235,7 @@ def s3_policy_statement(
     )
 
 
-def ses_policty_statement(
+def ses_policy_statement(
     actions: List[str] = SES_FULL_ACCESS_ACTIONS,
     sid: str = "SESFullAccess",
 ) -> iam.PolicyStatement:
@@ -263,7 +269,7 @@ def sfn_policy_statement(
     )
 
 
-def sns_policty_statement(
+def sns_policy_statement(
     actions: List[str] = SNS_FULL_ACCESS_ACTIONS,
     sid: str = "SNSFullAccess",
 ) -> iam.PolicyStatement:
@@ -279,6 +285,14 @@ def sns_policty_statement(
     )
 
 
+def ssm_policy_statement(
+    actions: List[str] = SSM_READ_ACTIONS, sid: str = "SSMParamReadActions"
+) -> iam.PolicyStatement:
+    return iam.PolicyStatement(
+        sid=sid, actions=actions, effect=iam.Effect.ALLOW, resources=[build_arn(service="ssm")]
+    )
+
+
 def grant_managed_policies(
     role: Optional[iam.IRole],
     *managed_policies: Union[str, iam.ManagedPolicy],