mchancloud · March 8, 2023 18:56
diff --git a/abac-scp-guardrails-examples.txt b/abac-scp-guardrails-examples.txt
 //
 // A simple example protecting the tags on IAM principals.  Here, only an admins with an "is_admin:true"
 // tag key/value pair can modify a tag on an IAM principal.
 //
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyModifyingIamAdminTag",
      "Effect": "Deny",
      "Action": [
        "iam:TagRole",
        "iam:TagUser",
        "iam:UntagRole",
        "iam:UntagUser",
        "sts:TagSession"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "aws:PrincipalTag/is_admin": "true"
        },
        "Null": {
          "aws:RequestTag/is_admin": "false"
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/iam/*"
        }
      }
    }
  ]
 }


 //
 // A simple example where only admins are permitted to perform a privileged operation - in this case, DeleteSecret
 //
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyDeletionIfNotSecretsManagerAdmin",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:DeleteSecret"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "StringNotEqualsIfExists": {
          "aws:PrincipalTag/is_admin": "true"
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    }
  ]
 }



 //
 // An example where we enforce that ABAC be used in order to access secrets. In this case, we
 // require that the principal team tag == resource team tag in order to gain access.
 // We purposely do not put guardrails around List, GetRandomPassword, so as to allow non-ABAC access to them.
 //
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAccessingSecretsWithoutAbacTag",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:CancelRotateSecret",
        "secretsmanager:DeleteResourcePolicy",
        "secretsmanager:DeleteSecret",
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecretVersionIds",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:PutSecretValue",
        "secretsmanager:RemoveRegionsFromReplication",
        "secretsmanager:ReplicateSecretToRegions",
        "secretsmanager:RestoreSecret",
        "secretsmanager:RotateSecret",
        "secretsmanager:StopReplicationToReplica",
        "secretsmanager:UpdateSecret",
        "secretsmanager:UpdateSecretVersionStage",
        "secretsmanager:ValidateResourcePolicy"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "StringNotEqualsIfExists": {
          "aws:ResourceTag/team": "${aws:PrincipalTag/team}"
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    }
  ]
 }




 // We only want to allow human users of IAM Identity Center (formerly AWS SSO) access to secrets,
 // with an exception for Secrets Manager administrators. Note that ArnNotEquals is equivalent
 // to ArnNotLike, so we can use them together as a logical AND that will only Deny if both
 // operators return true.
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAccessToSecretsForUnauthorizedPrincipals",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:CancelRotateSecret",
        "secretsmanager:DeleteResourcePolicy",
        "secretsmanager:DeleteSecret",
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecretVersionIds",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:PutSecretValue",
        "secretsmanager:RemoveRegionsFromReplication",
        "secretsmanager:ReplicateSecretToRegions",
        "secretsmanager:RestoreSecret",
        "secretsmanager:RotateSecret",
        "secretsmanager:StopReplicationToReplica",
        "secretsmanager:UpdateSecret",
        "secretsmanager:UpdateSecretVersionStage",
        "secretsmanager:ValidateResourcePolicy"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*"
        },
        "ArnNotEquals": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    }
  ]
 }




 // 1. During resource creation, resources must have an ABAC tag applied (tag-on-create)
 // 2. During resource creation, the provided ABAC tag key must be the same case as the principal's
 // 3. After resource creation, the ABAC tag cannot be modified
 // 4. After resource creation, the ABAC tag cannot be deleted
 // 5. A principal cannot modify any tags on resources they didn't create
 // 6. A principal cannot delete any tags on resources they didn't create
 // 7. A principal cannot do tagging operations if its principal tag doesn't exist
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "1DenyCreatingResourcesWithoutRequiredTag",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:CreateSecret"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:RequestTag/team": "${aws:PrincipalTag/team}"
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    },
    {
      "Sid": "2DenyCreatingResourcesWithoutExactAbacTagKeyCase",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:CreateSecret"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "ForAllValues:StringNotEquals": {
          "aws:TagKeys": [
            "team"
          ]
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    },
    {
      "Sid": "3DenyModifyingAbacTagOnYourResource",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:TagResource"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/team": "false"
        },
        "StringEquals": {
          "aws:ResourceTag/team": "${aws:PrincipalTag/team}"
        },
        "StringNotEquals": {
          "aws:RequestTag/team": "${aws:PrincipalTag/team}"
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    },
    {
      "Sid": "4DenyDeletingAbacTag",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:UntagResource"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": [
            "team"
          ]
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    },
    {
      "Sid": "5DenyModifyingTagsIfNotYourResource",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:TagResource"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "Null": {
          "aws:ResourceTag/team": "false"
        },
        "StringNotEquals": {
          "aws:ResourceTag/team": "${aws:PrincipalTag/team}"
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    },
    {
      "Sid": "6DenyDeletingTagsIfNotYourResource",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:UntagResource"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:ResourceTag/team": "${aws:PrincipalTag/team}"
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    },
    {
      "Sid": "7DenyModifyingTagsIfPrincipalTagNotExists",
      "Effect": "Deny",
      "Action": [
        "secretsmanager:TagResource",
        "secretsmanager:UntagResource"
      ],
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:*"
      ],
      "Condition": {
        "Null": {
          "aws:PrincipalTag/team": true
        },
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
        }
      }
    }
  ]
 }
	//
	// A simple example protecting the tags on IAM principals. Here, only an admins with an "is_admin:true"
	// tag key/value pair can modify a tag on an IAM principal.
	//
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "DenyModifyingIamAdminTag",
	"Effect": "Deny",
	"Action": [
	"iam:TagRole",
	"iam:TagUser",
	"iam:UntagRole",
	"iam:UntagUser",
	"sts:TagSession"
	],
	"Resource": "*",
	"Condition": {
	"StringNotEqualsIfExists": {
	"aws:PrincipalTag/is_admin": "true"
	},
	"Null": {
	"aws:RequestTag/is_admin": "false"
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/iam/"
	}
	}
	}
	]
	}


	//
	// A simple example where only admins are permitted to perform a privileged operation - in this case, DeleteSecret
	//
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "DenyDeletionIfNotSecretsManagerAdmin",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:DeleteSecret"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"StringNotEqualsIfExists": {
	"aws:PrincipalTag/is_admin": "true"
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	}
	]
	}



	//
	// An example where we enforce that ABAC be used in order to access secrets. In this case, we
	// require that the principal team tag == resource team tag in order to gain access.
	// We purposely do not put guardrails around List, GetRandomPassword, so as to allow non-ABAC access to them.
	//
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "DenyAccessingSecretsWithoutAbacTag",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:CancelRotateSecret",
	"secretsmanager:DeleteResourcePolicy",
	"secretsmanager:DeleteSecret",
	"secretsmanager:DescribeSecret",
	"secretsmanager:GetSecretValue",
	"secretsmanager:ListSecretVersionIds",
	"secretsmanager:PutResourcePolicy",
	"secretsmanager:PutSecretValue",
	"secretsmanager:RemoveRegionsFromReplication",
	"secretsmanager:ReplicateSecretToRegions",
	"secretsmanager:RestoreSecret",
	"secretsmanager:RotateSecret",
	"secretsmanager:StopReplicationToReplica",
	"secretsmanager:UpdateSecret",
	"secretsmanager:UpdateSecretVersionStage",
	"secretsmanager:ValidateResourcePolicy"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"StringNotEqualsIfExists": {
	"aws:ResourceTag/team": "${aws:PrincipalTag/team}"
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	}
	]
	}




	// We only want to allow human users of IAM Identity Center (formerly AWS SSO) access to secrets,
	// with an exception for Secrets Manager administrators. Note that ArnNotEquals is equivalent
	// to ArnNotLike, so we can use them together as a logical AND that will only Deny if both
	// operators return true.
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "DenyAccessToSecretsForUnauthorizedPrincipals",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:CancelRotateSecret",
	"secretsmanager:DeleteResourcePolicy",
	"secretsmanager:DeleteSecret",
	"secretsmanager:DescribeSecret",
	"secretsmanager:GetSecretValue",
	"secretsmanager:ListSecretVersionIds",
	"secretsmanager:PutResourcePolicy",
	"secretsmanager:PutSecretValue",
	"secretsmanager:RemoveRegionsFromReplication",
	"secretsmanager:ReplicateSecretToRegions",
	"secretsmanager:RestoreSecret",
	"secretsmanager:RotateSecret",
	"secretsmanager:StopReplicationToReplica",
	"secretsmanager:UpdateSecret",
	"secretsmanager:UpdateSecretVersionStage",
	"secretsmanager:ValidateResourcePolicy"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_"
	},
	"ArnNotEquals": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	}
	]
	}




	// 1. During resource creation, resources must have an ABAC tag applied (tag-on-create)
	// 2. During resource creation, the provided ABAC tag key must be the same case as the principal's
	// 3. After resource creation, the ABAC tag cannot be modified
	// 4. After resource creation, the ABAC tag cannot be deleted
	// 5. A principal cannot modify any tags on resources they didn't create
	// 6. A principal cannot delete any tags on resources they didn't create
	// 7. A principal cannot do tagging operations if its principal tag doesn't exist
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "1DenyCreatingResourcesWithoutRequiredTag",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:CreateSecret"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"StringNotEquals": {
	"aws:RequestTag/team": "${aws:PrincipalTag/team}"
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	},
	{
	"Sid": "2DenyCreatingResourcesWithoutExactAbacTagKeyCase",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:CreateSecret"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"ForAllValues:StringNotEquals": {
	"aws:TagKeys": [
	"team"
	]
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	},
	{
	"Sid": "3DenyModifyingAbacTagOnYourResource",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:TagResource"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"Null": {
	"aws:RequestTag/team": "false"
	},
	"StringEquals": {
	"aws:ResourceTag/team": "${aws:PrincipalTag/team}"
	},
	"StringNotEquals": {
	"aws:RequestTag/team": "${aws:PrincipalTag/team}"
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	},
	{
	"Sid": "4DenyDeletingAbacTag",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:UntagResource"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"ForAnyValue:StringEquals": {
	"aws:TagKeys": [
	"team"
	]
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	},
	{
	"Sid": "5DenyModifyingTagsIfNotYourResource",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:TagResource"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"Null": {
	"aws:ResourceTag/team": "false"
	},
	"StringNotEquals": {
	"aws:ResourceTag/team": "${aws:PrincipalTag/team}"
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	},
	{
	"Sid": "6DenyDeletingTagsIfNotYourResource",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:UntagResource"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"StringNotEquals": {
	"aws:ResourceTag/team": "${aws:PrincipalTag/team}"
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	},
	{
	"Sid": "7DenyModifyingTagsIfPrincipalTagNotExists",
	"Effect": "Deny",
	"Action": [
	"secretsmanager:TagResource",
	"secretsmanager:UntagResource"
	],
	"Resource": [
	"arn:aws:secretsmanager:::secret:*"
	],
	"Condition": {
	"Null": {
	"aws:PrincipalTag/team": true
	},
	"ArnNotLike": {
	"aws:PrincipalArn": "arn:aws:iam:::role/admin/secretsmanager/"
	}
	}
	}
	]
	}