- Newest
- Most votes
- Most comments
It looks like AWS offers 3 options.
- Grant a user direct access to the vault.
- Grant an EC2 direct access to the vault.
- Grant a function direct access to the vault.
None of these were my first choice since it's an MVC website being developed locally and then simply being hosted on an EC2 afterwards. I also didn't want the engineers having direct access to the vault. However, due to the above limitations, I'll have to rework the vault to have a lower "unprivileged" layer, an upper "privileged" layer and then grant engineers access to the lower layer.
Hello.
For example, how about setting the following resource-based policy to the SecretsManager secret?
If you set a resource-based policy like the one below, it will only be accessible from AWS resources that have the IAM user or IAM role for the ARN set in "aws:PrincipalArn".
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:test/SecretID"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::111111111111:role/lambda-role-name",
"arn:aws:iam::111111111111:role/EC2-IAM-Role",
"arn:aws:iam::111111111111:user/IAM-user-name"
]
}
}
}
]
}
Relevant content
- Accepted Answer
- asked 7 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago