For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-secrets-manager-with-vulnerable-policy.md. A documentation index is available at /llms.txt.

Secrets Manager with vulnerable policy

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-secrets-manager-with-vulnerable-policy

Provider: AWS

Platform: Terraform

Severity: High

Category: Access Control

Learn More

Description

AWS Secrets Manager policies with wildcards in Principal or Action fields create significant security risks by potentially granting excessive permissions to unintended entities. When * is used in the Principal field, any AWS identity can access your secrets, and when used in the Action field, it allows all possible operations on those secrets. This overly permissive access violates the principle of least privilege and could lead to unauthorized access or manipulation of sensitive information. Instead of using wildcards, specify exact identities and permissions, as shown in the secure example: "Principal": {"AWS": "arn:aws:iam::var.account_id:saml-provider/var.provider_name"} and "Action": "secretsmanager:GetSecretValue".

Compliant Code Examples

resource "aws_secretsmanager_secret" "example2" {
  name = "example"
}

resource "aws_secretsmanager_secret_policy" "example2" {
  secret_arn = aws_secretsmanager_secret.example2.arn

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnableAllPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::var.account_id:saml-provider/var.provider_name"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}
POLICY
}

Non-Compliant Code Examples

provider "aws" {
  region = "us-east-1"
}

resource "aws_secretsmanager_secret" "not_secure_policy" {
  name = "not_secure_secret"
}

resource "aws_secretsmanager_secret_policy" "example" {
  secret_arn = aws_secretsmanager_secret.not_secure_policy.arn

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnableAllPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "secretsmanager:*",
      "Resource": "*"
    }
  ]
}
POLICY
}

resource "aws_secretsmanager_secret_policy" "multi_statement" {
  secret_arn = aws_secretsmanager_secret.example.arn

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Safe",
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789012:root"},
      "Action": "secretsmanager:GetSecretValue"
    },
    {
      "Sid": "Vulnerable",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "secretsmanager:*"
    }
  ]
}
POLICY
}

resource "aws_secretsmanager_secret_policy" "jsonencoded" {
  secret_arn = aws_secretsmanager_secret.example.arn

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid       = "JsonEncodedVulnerable"
        Effect    = "Allow"
        Principal = "*"
        Action    = "secretsmanager:*"
      }
    ]
  })
}