AWS IAM Permissions Guardrails

AWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/

View project on GitHub

AWS Secrets Manager

Identifier Guardrail Rationale Remediation References IAM Actions
IAM-SECRETSMANAGER-1 Check that DeleteSecret is appropriately scoped and for authorized principals. Deleting a secret makes the secret immediately inaccessible and could impact applications that depend on the secret. Check that Only authorized principals can invoke DeleteSecret Scope using secretsmanager:SecretId secretsmanager:AllowRotationLambdaArn or with a tag secretsmanager:ResourceTag/Optionally prevent disabling of the recovery window using theconditionssecretsmanager:ForceDeleteWithoutRecovery and secretsmanager:RecoveryWindowInDays https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-restore-secret.html

https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery

https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-contextkeys

 secretsmanager:DeleteSecret
IAM-SECRETSMANAGER-2 Check that only authorized principals are able to retrieve a secret value. Sensitive or confidential information (e.g., credentials) would be expected to be stored in AWS Secrets Manager. Ensuring only authorized access reduces the risk of unauthorized access. Check that only authorized principals can invoke GetSecretValue. Specify the Secret Resource Arn. Also, scope using the Condition key secretsmanager:SecretId or secretsmanager:ResourceTag/ https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html

https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-contextkeys

 secretsmanager:GetSecretValue
IAM-SECRETSMANAGER-3 Check for separation of duties between managing a secret and reading or writing to a secret. An administrator is required to manage creating secret via CreateSecret. Though populating the secret value including both reading GetSecretValue and writing the secret PutSecretValue should be performed by a separate principal, ideally only automation should be generating a (random) secret value and rotating the secret. Separating out the management from actually viewing the secret data reduces the risk of unauthorized access. Check that the administration CreateSecret principal is separate from the secret value principal GetSecretValue and PutSecretValue.   secretsmanager:CreateSecret