--- title: RCP should limit secret access to the Organization description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > RCP should limit secret access to the Organization --- # RCP should limit secret access to the Organization ## Description{% #description %} A Resource Control Policy (RCP) should be applied to all AWS accounts to limit Secrets Manager access to the AWS Organization. Without an RCP restricting Secrets Manager operations by organization boundary, principals outside the organization could retrieve, list, or describe secrets stored in member accounts. This rule verifies that an RCP denies **all six Secrets Manager access actions** when `aws:PrincipalOrgID` does not match the organization ID: - `secretsmanager:GetSecretValue` - `secretsmanager:BatchGetSecretValue` - `secretsmanager:DescribeSecret` - `secretsmanager:GetResourcePolicy` - `secretsmanager:ListSecrets` - `secretsmanager:ListSecretVersionIds` Alternatively, a wildcard action (`secretsmanager:*` or `*`) satisfies the requirement. The actions can be split across multiple deny statements within the same policy — the rule aggregates all denied actions from statements that include the org boundary condition. Denying only a subset of these actions leaves gaps — for example, denying `GetSecretValue` but not `DescribeSecret` still allows an external principal to enumerate secret metadata. Each deny statement must use a `StringNotEquals` or `StringNotEqualsIfExists` condition on `aws:PrincipalOrgID` to enforce the organization boundary. Actions in statements without this condition are not counted toward coverage. **Note:** AWS service principals should be exempted using `aws:PrincipalIsAWSService` conditions to avoid disrupting AWS-managed secret rotations and integrations. Trusted external accounts can be exempted using `aws:PrincipalAccount` conditions where cross-organization access is required. ## Remediation{% #remediation %} Create a Resource Control Policy that explicitly denies all six Secrets Manager actions listed above (or `secretsmanager:*`) using `Action` (not `NotAction`) from principals outside the organization and attach it to the organization root. The deny statement must include a `StringNotEquals` or `StringNotEqualsIfExists` condition on `aws:PrincipalOrgID`. Refer to the [RCP syntax documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html) and the [data perimeter policy examples](https://github.com/aws-samples/data-perimeter-policy-examples) for guidance.