下面是一个示例的SCP策略,实现的效果是前缀为“AWSReservedSSO_AdministratorAccess”的IAM单点登录角色才能够获取,修改Secrets Manager中名称前缀为“secerity-nono-”的secrets。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SecurityNonoSecrets",
"Effect": "Deny",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetRandomPassword",
"secretsmanager:GetSecretValue",
"secretsmanager:DeleteSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:ReplicateSecretToRegions",
"secretsmanager:RestoreSecret",
"secretsmanager:RotateSecret",
"secretsmanager:RemoveRegionsFromReplication",
"secretsmanager:StopReplicationToReplica",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:CancelRotateSecret",
"secretsmanager:DeleteResourcePolicy",
"secretsmanager:PutResourcePolicy",
"secretsmanager:ValidateResourcePolicy",
"secretsmanager:TagResource",
"secretsmanager:UntagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:secerity-nono-*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/AWSReservedSSO_AdministratorAccess*"
}
}
}
]
}
