AWS secretsmanager high security documentation change
Summary
Added critical note about rotation policy limitations for DatadogAdminKey secrets and required configuration adjustments.
Security assessment
Addresses security configuration gap in secret rotation for admin keys. Highlights potential permission failures and provides mitigation guidance.
Diff
diff --git a/secretsmanager/latest/userguide/mes-partner-DatadogApiKey.md b/secretsmanager/latest/userguide/mes-partner-DatadogApiKey.md index 50712d5e0..d1663b5cd 100644 --- a//secretsmanager/latest/userguide/mes-partner-DatadogApiKey.md +++ b//secretsmanager/latest/userguide/mes-partner-DatadogApiKey.md @@ -50,0 +51,2 @@ You can create your secret using the [CreateSecret](https://docs.aws.amazon.com/ +The admin secret type (`DatadogAdminKey`) differs from the user secret type (`DatadogApiKey`). Because of this difference, the default rotation role policy scoped by `secretsmanager:resource/Type` will not grant access to the admin secret. You must explicitly provide the rotation role access to the admin secret. You can do this by adding a statement scoped to the `DatadogAdminKey` type. Alternatively, specify the admin secret `ARN` directly in the role policy. +