Access Control & IAM

Access Control Overview

Access Control in AWS Secrets Manager uses a combination of IAM policies and resource-based policies to provide fine-grained permissions for secret operations.

Identity-Based: Attached to users, groups, or roles

Resource-Based: Attached directly to secrets

Cross-Account: Enable secure access across AWS accounts

IAM Actions

Read Actions

GetSecretValue, DescribeSecret, ListSecrets

Write Actions

CreateSecret, UpdateSecret, PutSecretValue

Rotation Actions

RotateSecret, CancelRotateSecret

IAM Policy Examples

Read-Only Access

                                    {

                                      "Effect": "Allow",

                                      "Action": [

                                        "secretsmanager:GetSecretValue",

                                        "secretsmanager:DescribeSecret"

                                      ],

                                      "Resource": "arn:aws:secretsmanager:*:*:secret:prod/*"

                                    }

Resource-Based Policy

                                    {

                                      "Effect": "Allow",

                                      "Principal": {

                                        "AWS": "arn:aws:iam::111122223333:role/MyRole"

                                      },

                                      "Action": "secretsmanager:GetSecretValue"

                                    }

Resource Tags

secretsmanager:ResourceTag/key
aws:RequestedRegion
aws:PrincipalTag/key

Version Stage

secretsmanager:VersionStage
secretsmanager:VersionId
secretsmanager:SecretARN

Time & Location

aws:CurrentTime
aws:SourceIp
aws:SecureTransport

Principal

aws:userid
aws:username
aws:PrincipalType

Least Privilege

Grant minimum permissions
Use specific resource ARNs
Time-based access controls
Regular permission reviews

Organization

Consistent naming conventions
Hierarchical secret organization
Tag secrets appropriately
Resource-based policies

Monitoring

Enable CloudTrail logging
Monitor failed access attempts
Alert on unusual patterns
Regular access reviews

Exam Strategy Tip

Remember: IAM policies and resource-based policies are combined using logical OR. An explicit deny in any policy overrides any allow. Cross-account access requires both resource-based policy on the secret and IAM permissions in the accessing account.

Back to Rotation Next: Encryption & Security