AWS secretsmanager high security documentation change
Summary
Added explicit list of cross-account operations and security warnings about PutResourcePolicy permissions
Security assessment
Added warning about privilege escalation risks with PutResourcePolicy and guidance for least privilege access. Directly addresses access control security considerations.
Diff
diff --git a/secretsmanager/latest/userguide/auth-and-access_examples_cross.md b/secretsmanager/latest/userguide/auth-and-access_examples_cross.md index 203be86b9..3fd3b39b3 100644 --- a//secretsmanager/latest/userguide/auth-and-access_examples_cross.md +++ b//secretsmanager/latest/userguide/auth-and-access_examples_cross.md @@ -8,0 +9,47 @@ To allow users in one account to access secrets in another account (_cross-accou +Cross-account permission is effective only for the following operations: + + * [CancelRotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CancelRotateSecret.html) + + * [DeleteResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteResourcePolicy.html) + + * [DeleteSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html) + + * [DescribeSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html) + + * [GetRandomPassword](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html) + + * [GetResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetResourcePolicy.html) + + * [GetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) + + * [ListSecretVersionIds](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecretVersionIds.html) + + * [PutResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutResourcePolicy.html) + + * [PutSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutSecretValue.html) + + * [RemoveRegionsFromReplication](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RemoveRegionsFromReplication.html) + + * [ReplicateSecretToRegions](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ReplicateSecretToRegions.html) + + * [RestoreSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RestoreSecret.html) + + * [RotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html) + + * [StopReplicationToReplica](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_StopReplicationToReplica.html) + + * [TagResource](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_TagResource.html) + + * [UntagResource](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UntagResource.html) + + * [UpdateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UpdateSecret.html) + + * [UpdateSecretVersionStage](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UpdateSecretVersionStage.html) + + * [ValidateResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ValidateResourcePolicy.html) + + + + +You can use the `BlockPublicPolicy` parameter with the [PutResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutResourcePolicy.html) action to help protect your resources by preventing public access from being granted through the resource policies that are directly attached to your secrets. You can also use [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-preview-access) to verify cross-account access. + @@ -10,0 +58,4 @@ You must also allow the identity to use the KMS key that the secret is encrypted +###### Important + +Resource-based policies granting `secretsmanager:PutResourcePolicy` permission gives principals, even those in other accounts, the ability to modify your resource-based policies. This permission lets principals escalate existing permissions like obtaining full administrative access to secrets. We recommend you apply the principle of [least privileged access](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) to your policies. For more information, see [Resource-based policies](./auth-and-access_resource-policies.html). + @@ -16,0 +68,6 @@ The following example policies assume you have a secret and encryption key in _A +JSON + + +**** + + @@ -56,0 +115,6 @@ The following example policies assume you have a secret and encryption key in _A +JSON + + +**** + +