增强secrets保护
此 RCP 提供 2 层安全保护secrets in Secrets Manager:
拒绝组织外的身份访问和操作Secrets Manager的secrets。
拒绝修改secrets为公开可访问。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceOrgForSecretsManager",
"Effect": "Deny",
"Principal": "*",
"Action": [
"secretsmanager:*"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:PrincipalOrgID": "<ORG_ID_HERE>"
},
"BoolIfExists": {
"aws:PrincipalIsAWSService": "false"
}
}
},
{
"Sid": "DenyPublicPolicyUpdate",
"Effect": "Deny",
"Principal": "*",
"Action": [
"secretsmanager:PutResourcePolicy"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"secretsmanager:BlockPublicPolicy": "false"
}
}
}
]
}最后更新于