0

I can see that there is a policy evaluation rule for Secrets Manager here.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_understanding-policy-evaluation.html

I have a policy attached to the secrets manager resource as follows

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "minimumNeeded",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : [ "arn:aws:sts::SLJFLSDKFJLSJDKF:assumed-role/xxx/USER1", "arn:aws:sts::SLJFLSDKFJLSJDKF:assumed-role/xxx/USER2" ]
    },
    "Action" : "secretsmanager:*",
    "Resource" : "*"
  }]
}

When a different user tried to do a put-secret-value from aws CLI targeting the above resource, it worked and the above policy didn't stop them. My understanding from the AWS doc above is:

  1. USER2 will have an ALLOW if the role XXX has explicitly allowed secrets manager operations.

Is this assumption correct ? If so, how can I block everyone but certain individuals?

Regards,

ha9u63a7
  • 6,233
  • 16
  • 73
  • 108
  • This means that those other users have been given permissions to access your secret. The question is, why those other uses are allowed in the first place if you don't want them to access the sercret? – Marcin Apr 29 '21 at 10:54
  • Basically, we wanted to block everybody except our own group of people. – ha9u63a7 Apr 29 '21 at 11:07
  • You would have to look at explicit `Deny`. – Marcin Apr 29 '21 at 11:09
  • @Marcin so are you referring to a `Condition` using something like `StrringNotEquals` ? IF so, could you kindly put it an answer, I will appreciate it – ha9u63a7 Apr 29 '21 at 11:42
  • As you wrote `NotPrincipal with Deny`. Also docs explain that this is complex scenario. You have to be careful as " the policy might deny access to the entire account containing the principal." – Marcin Apr 29 '21 at 11:45

2 Answers2

0

I think I would need to do NotPrincipal with DENY as mentioned in the docs

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

ha9u63a7
  • 6,233
  • 16
  • 73
  • 108
0

When accessing a resource within the same account, if either the resource policy explicitly grants access or the IAM user/role policy explicitly grants access, access is granted.

When using resource policies for cross account access, both the user/role IAM policy and the resource policy must grant access.

In addition, if there is a DENY statement anywhere (IAM or resource policy) access is denied. If access is not explicitly granted anywhere it is denied by default (local account or cross account).

You did not give the details of if users are in the same account or different accounts, but it sounds like they are in the same account. If a user is in the same account either they must not be granted access in their IAM policy, or there must be an explicit deny statement in the resource policy. You can also change your policy to a deny in conjunction with a not principal declaration. Then only the allowed principals can access the secret as long as their IAM user/role policy allows it.

JoeB
  • 1,503
  • 7
  • 9