Control: AWS > Secrets Manager > Secret > Policy > Trusted Access

Take an action when AWS Secrets Manager secret policy is not trusted based on the AWS > Secrets Manager > Secret > Policy > Trusted Access > * policies.

The Trusted Access control evaluates the secret policy against the list of allowed members in each of the Trusted Access sub-policies (Trusted Access > Accounts, Trusted Access > Services etc.), this control raises an alarm and takes the defined enforcement action.

The account that owns the secret will always be trusted, even if its account ID is not included in the Trusted Accounts policy.

If set to Enforce: Revoke untrusted access, access to non-trusted members will be removed.

Resource Types

This control targets the following resource types:

AWS > Secrets Manager > Secret

Policies

The following policies can be used to configure this control:

AWS > Secrets Manager > Secret > Policy > Trusted Access

This control type relies on these other policies when running actions:

Permissions

Cloud permissions used by this control and its actions:

secretsmanager:DeleteResourcePolicy
secretsmanager:PutResourcePolicy

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-secretsmanager#/control/types/secretPolicyTrustedAccess

Category URI

tmod:@turbot/turbot#/control/categories/securityTrustedAccess

GraphQL

query controlType(id: "tmod:@turbot/aws-secretsmanager#/control/types/secretPolicyTrustedAccess") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-secretsmanager#/control/types/secretPolicyTrustedAccess'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-secretsmanager#/control/types/secretPolicyTrustedAccess"