2

I'm trying to use an AWS lambda function (deployed with SAM) to rotate a secret. Reading AWSSecretsManagerRotationPolicy description says:

Gives permission to rotate a secret in AWS Secrets Manager. Source

Based on that, this is applied to a single secret, but seeing the Policy definition seems like it permits all secrets for a given Partition, Region, and AccountId:


        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:DescribeSecret",
              "secretsmanager:GetSecretValue",
              "secretsmanager:PutSecretValue",
              "secretsmanager:UpdateSecretVersionStage"
            ],
            "Resource": {
              "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*"
            },
            "Condition": {
              "StringEquals": {
                "secretsmanager:resource/AllowRotationLambdaArn": {
                  "Fn::Sub": [
                    "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}",
                    {
                      "functionName": {
                        "Ref": "FunctionName"
                      }
                    }
                  ]
                }
              }
            }
          },
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:GetRandomPassword"
            ],
            "Resource": "*"
          }
        ]

Is the description misleading, or did I misinterpret something?

andres
  • 73
  • 6

0 Answers0