---
title: Secrets Manager secret policies should not allow wildcard principals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Secrets Manager secret policies should
  not allow wildcard principals
---

# Secrets Manager secret policies should not allow wildcard principals
 
## Description{% #description %}

Secrets Manager secret resource policies should not grant access to wildcard principals (`Principal: "*"`) without scoping conditions. An unconditional wildcard principal allows any AWS account or unauthenticated user to access the resource, creating a significant security risk. Wildcard principals scoped by policy conditions (such as `aws:SourceAccount`, `aws:SourceArn`, or `aws:PrincipalOrgID`) are not flagged, because the condition restricts effective access.

## Remediation{% #remediation %}

Update the resource policy to specify explicit principals. Alternatively, add scoping conditions that restrict access. For guidance, refer to [Resource-based policies for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html).