Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS Secret Manager - Restrict access through tags

0

Hi guys,

I want to restrict access to a secret on Secret Manager based on the secret tag.

For example, I have a lambda that need access to a secret, and on the lambda function I have an abstract role that grants access to all the secret, but on the secret itself, I want to write a resource based policy, that deny access to a lambda that does not have a specific tag, example: "prod".

This is the policy I wrote on the secret resource policy, that deny access to all resource, except if the resource have a tag "prod" or "dev" with tag key as "Environment":

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "secretmanager:*",
        "Resource": "*",
        "Condition": {
            "StringNotEquals": {
                "aws:RequestTag/Environment": [
                    "prod",
                    "dev"
                ]
            },
            "ForAllValues:StringEquals": {
                "aws:TagKeys": "Environment"
            }
        }
    }
}

But I receive the following error message: This resource policy contains a syntax error.

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access ManagementAWS GeheimnismanagerIAM-Richtlinien
Sprache
English
Renan Bueno
gefragt vor einem Jahr980 Aufrufe
1 Antwort
0

Hello,

Please check the following link which has reference on implementing ABAC model for AWS Secrets-manager - https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html

AWS
Vaishnavi Ganesan
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt