AWS Secret Manager - Restrict access through tags

0

Hi guys,

I want to restrict access to a secret on Secret Manager based on the secret tag.

For example, I have a lambda that need access to a secret, and on the lambda function I have an abstract role that grants access to all the secret, but on the secret itself, I want to write a resource based policy, that deny access to a lambda that does not have a specific tag, example: "prod".

This is the policy I wrote on the secret resource policy, that deny access to all resource, except if the resource have a tag "prod" or "dev" with tag key as "Environment":

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "secretmanager:*",
        "Resource": "*",
        "Condition": {
            "StringNotEquals": {
                "aws:RequestTag/Environment": [
                    "prod",
                    "dev"
                ]
            },
            "ForAllValues:StringEquals": {
                "aws:TagKeys": "Environment"
            }
        }
    }
}

But I receive the following error message: This resource policy contains a syntax error.

1 Answer
0

Hello,

Please check the following link which has reference on implementing ABAC model for AWS Secrets-manager - https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html

AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions