RCP should limit secret access to the Organization
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
A Resource Control Policy (RCP) should be applied to all AWS accounts to limit Secrets Manager access to the AWS Organization. Without an RCP restricting Secrets Manager operations by organization boundary, principals outside the organization could retrieve, list, or describe secrets stored in member accounts. An RCP that denies Secrets Manager operations when aws:PrincipalOrgID does not match the organization ID establishes a data perimeter protecting sensitive credentials and configuration data.
This rule also flags RCPs that use NotAction to exempt Secrets Manager actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.
Note: AWS service principals should be exempted using aws:PrincipalIsAWSService conditions to avoid disrupting AWS-managed secret rotations and integrations. Trusted external accounts can be exempted using aws:PrincipalAccount conditions where cross-organization access is required.
Create a Resource Control Policy that explicitly denies Secrets Manager operations using Action (not NotAction) from principals outside the organization and attach it to the organization root. Remove any NotAction-based deny statements that exempt Secrets Manager actions. The RCP should deny secretsmanager:* or specific Secrets Manager actions with an aws:PrincipalOrgID condition. Refer to the RCP syntax documentation and the data perimeter policy examples for guidance.
