Last active
March 8, 2023 18:56
-
-
Save mchancloud/8621502cb76d34a64c651691e738f1f8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// A simple example protecting the tags on IAM principals. Here, only an admins with an "is_admin:true" | |
// tag key/value pair can modify a tag on an IAM principal. | |
// | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "DenyModifyingIamAdminTag", | |
"Effect": "Deny", | |
"Action": [ | |
"iam:TagRole", | |
"iam:TagUser", | |
"iam:UntagRole", | |
"iam:UntagUser", | |
"sts:TagSession" | |
], | |
"Resource": "*", | |
"Condition": { | |
"StringNotEqualsIfExists": { | |
"aws:PrincipalTag/is_admin": "true" | |
}, | |
"Null": { | |
"aws:RequestTag/is_admin": "false" | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/iam/*" | |
} | |
} | |
} | |
] | |
} | |
// | |
// A simple example where only admins are permitted to perform a privileged operation - in this case, DeleteSecret | |
// | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "DenyDeletionIfNotSecretsManagerAdmin", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:DeleteSecret" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"StringNotEqualsIfExists": { | |
"aws:PrincipalTag/is_admin": "true" | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
} | |
] | |
} | |
// | |
// An example where we enforce that ABAC be used in order to access secrets. In this case, we | |
// require that the principal team tag == resource team tag in order to gain access. | |
// We purposely do not put guardrails around List, GetRandomPassword, so as to allow non-ABAC access to them. | |
// | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "DenyAccessingSecretsWithoutAbacTag", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:CancelRotateSecret", | |
"secretsmanager:DeleteResourcePolicy", | |
"secretsmanager:DeleteSecret", | |
"secretsmanager:DescribeSecret", | |
"secretsmanager:GetSecretValue", | |
"secretsmanager:ListSecretVersionIds", | |
"secretsmanager:PutResourcePolicy", | |
"secretsmanager:PutSecretValue", | |
"secretsmanager:RemoveRegionsFromReplication", | |
"secretsmanager:ReplicateSecretToRegions", | |
"secretsmanager:RestoreSecret", | |
"secretsmanager:RotateSecret", | |
"secretsmanager:StopReplicationToReplica", | |
"secretsmanager:UpdateSecret", | |
"secretsmanager:UpdateSecretVersionStage", | |
"secretsmanager:ValidateResourcePolicy" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"StringNotEqualsIfExists": { | |
"aws:ResourceTag/team": "${aws:PrincipalTag/team}" | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
} | |
] | |
} | |
// We only want to allow human users of IAM Identity Center (formerly AWS SSO) access to secrets, | |
// with an exception for Secrets Manager administrators. Note that ArnNotEquals is equivalent | |
// to ArnNotLike, so we can use them together as a logical AND that will only Deny if both | |
// operators return true. | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "DenyAccessToSecretsForUnauthorizedPrincipals", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:CancelRotateSecret", | |
"secretsmanager:DeleteResourcePolicy", | |
"secretsmanager:DeleteSecret", | |
"secretsmanager:DescribeSecret", | |
"secretsmanager:GetSecretValue", | |
"secretsmanager:ListSecretVersionIds", | |
"secretsmanager:PutResourcePolicy", | |
"secretsmanager:PutSecretValue", | |
"secretsmanager:RemoveRegionsFromReplication", | |
"secretsmanager:ReplicateSecretToRegions", | |
"secretsmanager:RestoreSecret", | |
"secretsmanager:RotateSecret", | |
"secretsmanager:StopReplicationToReplica", | |
"secretsmanager:UpdateSecret", | |
"secretsmanager:UpdateSecretVersionStage", | |
"secretsmanager:ValidateResourcePolicy" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*" | |
}, | |
"ArnNotEquals": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
} | |
] | |
} | |
// 1. During resource creation, resources must have an ABAC tag applied (tag-on-create) | |
// 2. During resource creation, the provided ABAC tag key must be the same case as the principal's | |
// 3. After resource creation, the ABAC tag cannot be modified | |
// 4. After resource creation, the ABAC tag cannot be deleted | |
// 5. A principal cannot modify any tags on resources they didn't create | |
// 6. A principal cannot delete any tags on resources they didn't create | |
// 7. A principal cannot do tagging operations if its principal tag doesn't exist | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "1DenyCreatingResourcesWithoutRequiredTag", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:CreateSecret" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"StringNotEquals": { | |
"aws:RequestTag/team": "${aws:PrincipalTag/team}" | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
}, | |
{ | |
"Sid": "2DenyCreatingResourcesWithoutExactAbacTagKeyCase", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:CreateSecret" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"ForAllValues:StringNotEquals": { | |
"aws:TagKeys": [ | |
"team" | |
] | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
}, | |
{ | |
"Sid": "3DenyModifyingAbacTagOnYourResource", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:TagResource" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"Null": { | |
"aws:RequestTag/team": "false" | |
}, | |
"StringEquals": { | |
"aws:ResourceTag/team": "${aws:PrincipalTag/team}" | |
}, | |
"StringNotEquals": { | |
"aws:RequestTag/team": "${aws:PrincipalTag/team}" | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
}, | |
{ | |
"Sid": "4DenyDeletingAbacTag", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:UntagResource" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"ForAnyValue:StringEquals": { | |
"aws:TagKeys": [ | |
"team" | |
] | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
}, | |
{ | |
"Sid": "5DenyModifyingTagsIfNotYourResource", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:TagResource" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"Null": { | |
"aws:ResourceTag/team": "false" | |
}, | |
"StringNotEquals": { | |
"aws:ResourceTag/team": "${aws:PrincipalTag/team}" | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
}, | |
{ | |
"Sid": "6DenyDeletingTagsIfNotYourResource", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:UntagResource" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"StringNotEquals": { | |
"aws:ResourceTag/team": "${aws:PrincipalTag/team}" | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
}, | |
{ | |
"Sid": "7DenyModifyingTagsIfPrincipalTagNotExists", | |
"Effect": "Deny", | |
"Action": [ | |
"secretsmanager:TagResource", | |
"secretsmanager:UntagResource" | |
], | |
"Resource": [ | |
"arn:aws:secretsmanager:*:*:secret:*" | |
], | |
"Condition": { | |
"Null": { | |
"aws:PrincipalTag/team": true | |
}, | |
"ArnNotLike": { | |
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*" | |
} | |
} | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment