Ensure that inline policy does not expose secrets in AWS Secrets Manager

HIGH

Description

Organizations should ensure that proper restrictions are set on Secrets within Secrets Manager so that they are not inadvertently exposed. This can be done using inline IAM policies within Secrets Manager. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

Remediation

In AWS Console -

Sign in to the AWS console and go to the Secrets Manager console.
In the Navigation pane, select Secrets.
In the list of Secrets, select the secret to edit.
In Resource permissions box, select Edit Permissions and add an IAM policy accordingly.
Select Save.

In Terraform -

Review the policy attached to the aws_secretsmanager_secret resource and ensure necessary changes are made.

References:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret

Policy Details

Rule Reference ID: AC_AWS_0386

CSP: AWS

Remediation Available: Yes

Domain: Security Best Practices

Resource: aws_secretsmanager_secret

Resource Category: Management

Resource Type: Secrets Manager

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
SOC2