Skip to content

Instantly share code, notes, and snippets.

@mchancloud
Last active March 8, 2023 18:56
Show Gist options
  • Save mchancloud/8621502cb76d34a64c651691e738f1f8 to your computer and use it in GitHub Desktop.
Save mchancloud/8621502cb76d34a64c651691e738f1f8 to your computer and use it in GitHub Desktop.
//
// A simple example protecting the tags on IAM principals. Here, only an admins with an "is_admin:true"
// tag key/value pair can modify a tag on an IAM principal.
//
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyModifyingIamAdminTag",
"Effect": "Deny",
"Action": [
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser",
"sts:TagSession"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:PrincipalTag/is_admin": "true"
},
"Null": {
"aws:RequestTag/is_admin": "false"
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/iam/*"
}
}
}
]
}
//
// A simple example where only admins are permitted to perform a privileged operation - in this case, DeleteSecret
//
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDeletionIfNotSecretsManagerAdmin",
"Effect": "Deny",
"Action": [
"secretsmanager:DeleteSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"StringNotEqualsIfExists": {
"aws:PrincipalTag/is_admin": "true"
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
}
]
}
//
// An example where we enforce that ABAC be used in order to access secrets. In this case, we
// require that the principal team tag == resource team tag in order to gain access.
// We purposely do not put guardrails around List, GetRandomPassword, so as to allow non-ABAC access to them.
//
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessingSecretsWithoutAbacTag",
"Effect": "Deny",
"Action": [
"secretsmanager:CancelRotateSecret",
"secretsmanager:DeleteResourcePolicy",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:PutResourcePolicy",
"secretsmanager:PutSecretValue",
"secretsmanager:RemoveRegionsFromReplication",
"secretsmanager:ReplicateSecretToRegions",
"secretsmanager:RestoreSecret",
"secretsmanager:RotateSecret",
"secretsmanager:StopReplicationToReplica",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:ValidateResourcePolicy"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"StringNotEqualsIfExists": {
"aws:ResourceTag/team": "${aws:PrincipalTag/team}"
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
}
]
}
// We only want to allow human users of IAM Identity Center (formerly AWS SSO) access to secrets,
// with an exception for Secrets Manager administrators. Note that ArnNotEquals is equivalent
// to ArnNotLike, so we can use them together as a logical AND that will only Deny if both
// operators return true.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccessToSecretsForUnauthorizedPrincipals",
"Effect": "Deny",
"Action": [
"secretsmanager:CancelRotateSecret",
"secretsmanager:DeleteResourcePolicy",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:PutResourcePolicy",
"secretsmanager:PutSecretValue",
"secretsmanager:RemoveRegionsFromReplication",
"secretsmanager:ReplicateSecretToRegions",
"secretsmanager:RestoreSecret",
"secretsmanager:RotateSecret",
"secretsmanager:StopReplicationToReplica",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:ValidateResourcePolicy"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*"
},
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
}
]
}
// 1. During resource creation, resources must have an ABAC tag applied (tag-on-create)
// 2. During resource creation, the provided ABAC tag key must be the same case as the principal's
// 3. After resource creation, the ABAC tag cannot be modified
// 4. After resource creation, the ABAC tag cannot be deleted
// 5. A principal cannot modify any tags on resources they didn't create
// 6. A principal cannot delete any tags on resources they didn't create
// 7. A principal cannot do tagging operations if its principal tag doesn't exist
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1DenyCreatingResourcesWithoutRequiredTag",
"Effect": "Deny",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/team": "${aws:PrincipalTag/team}"
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
},
{
"Sid": "2DenyCreatingResourcesWithoutExactAbacTagKeyCase",
"Effect": "Deny",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"team"
]
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
},
{
"Sid": "3DenyModifyingAbacTagOnYourResource",
"Effect": "Deny",
"Action": [
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"Null": {
"aws:RequestTag/team": "false"
},
"StringEquals": {
"aws:ResourceTag/team": "${aws:PrincipalTag/team}"
},
"StringNotEquals": {
"aws:RequestTag/team": "${aws:PrincipalTag/team}"
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
},
{
"Sid": "4DenyDeletingAbacTag",
"Effect": "Deny",
"Action": [
"secretsmanager:UntagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"team"
]
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
},
{
"Sid": "5DenyModifyingTagsIfNotYourResource",
"Effect": "Deny",
"Action": [
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"Null": {
"aws:ResourceTag/team": "false"
},
"StringNotEquals": {
"aws:ResourceTag/team": "${aws:PrincipalTag/team}"
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
},
{
"Sid": "6DenyDeletingTagsIfNotYourResource",
"Effect": "Deny",
"Action": [
"secretsmanager:UntagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"StringNotEquals": {
"aws:ResourceTag/team": "${aws:PrincipalTag/team}"
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
},
{
"Sid": "7DenyModifyingTagsIfPrincipalTagNotExists",
"Effect": "Deny",
"Action": [
"secretsmanager:TagResource",
"secretsmanager:UntagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*"
],
"Condition": {
"Null": {
"aws:PrincipalTag/team": true
},
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/admin/secretsmanager/*"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment