ABAC and Secrets Manager Lab

Secrets Manager Lab

Create the Assume Policy

For testing, create four IAM users with permissions to assume roles with the same tags. This makes it easier to add more users to your teams. When you tag the users, they automatically get access to assume the correct role. You don't have to add the users to the trust policy of the role if they work on only one project and team.

Create the following customer managed policy named access-assume-role.

The following policy allows a user to assume any role in your account with the access- name prefix. The role must also be tagged with the same project, team, and cost center tags as the user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TutorialAssumeRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::123456789012:role/access-*",
            "Condition": {
                "StringEquals": {
                    "iam:ResourceTag/access-project": "${aws:PrincipalTag/access-project}",
                    "iam:ResourceTag/access-team": "${aws:PrincipalTag/access-team}",
                    "iam:ResourceTag/cost-center": "${aws:PrincipalTag/cost-center}"
                }
            }
        }
    ]
}

Create IAM Users

Create the following IAM users, attach the access-assume-role permissions policy, and add the following tags.

User Name Tag
access-Arnav-peg-eng access-project = peg access-team = eng cost-center = 987654
access-Mary-peg-qas access-project = peg access-team = qas cost-center = 987654
access-Saanvi-uni-eng access-project = uni access-team = eng cost-center = 123456
access-Carlos-uni-qas access-project = uni access-team = qas cost-center = 123456

Create the ABAC Policy

Create the following policy named access-same-project-team. You will add this policy to the roles in a later step. ABAC Policy: Access Secrets Manager Resources Only When the Principal and Resource Tags Match

The following policy allows principals to create, read, edit, and delete resources, but only when those resources are tagged with the same key-value pairs as the principal. When a principal creates a resource, they must add access-project, access-team, and cost-center tags with values that match the principal's tags. The policy also allows adding optional Name or OwnedBy tags.

{
 "Version": "2012-10-17",
 "Statement": [
     {
         "Sid": "AllActionsSecretsManagerSameProjectSameTeam",
         "Effect": "Allow",
         "Action": "secretsmanager:*",
         "Resource": "*",
         "Condition": {
             "StringEquals": {
                 "aws:ResourceTag/access-project": "${aws:PrincipalTag/access-project}",
                 "aws:ResourceTag/access-team": "${aws:PrincipalTag/access-team}",
                 "aws:ResourceTag/cost-center": "${aws:PrincipalTag/cost-center}"
             },
             "ForAllValues:StringEquals": {
                 "aws:TagKeys": [
                     "access-project",
                     "access-team",
                     "cost-center",
                     "Name",
                     "OwnedBy"
                 ]
             },
             "StringEqualsIfExists": {
                 "aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}",
                 "aws:RequestTag/access-team": "${aws:PrincipalTag/access-team}",
                 "aws:RequestTag/cost-center": "${aws:PrincipalTag/cost-center}"
             }
         }
     },
     {
         "Sid": "AllResourcesSecretsManagerNoTags",
         "Effect": "Allow",
         "Action": [
             "secretsmanager:GetRandomPassword",
             "secretsmanager:ListSecrets"
         ],
         "Resource": "*"
     },
     {
         "Sid": "ReadSecretsManagerSameTeam",
         "Effect": "Allow",
         "Action": [
             "secretsmanager:Describe*",
             "secretsmanager:Get*",
             "secretsmanager:List*"
         ],
         "Resource": "*",
         "Condition": {
             "StringEquals": {
                 "aws:ResourceTag/access-team": "${aws:PrincipalTag/access-team}"
             }
         }
     },
     {
         "Sid": "DenyUntagSecretsManagerReservedTags",
         "Effect": "Deny",
         "Action": "secretsmanager:UntagResource",
         "Resource": "*",
         "Condition": {
             "StringLike": {
                 "aws:TagKeys": "access-*"
             }
         }
     },
     {
         "Sid": "DenyPermissionsManagement",
         "Effect": "Deny",
         "Action": "secretsmanager:*Policy",
         "Resource": "*"
     }
 ]
}

Create Roles

Create the following IAM roles and attach the access-same-project-team policy that you created in the previous step.

Job Function Role Tag Role Name Role Description
Project Pegasus Engineering access-project = peg access-team = eng cost-center = 987654 access-peg-engineering Allows engineers to read all engineering resources and create and manage Pegasus engineering resources.
Project Pegasus Quality Assurance access-project = peg access-team = qas cost-center = 987654 access-peg-quality-assurance Allows the QA team to read all QA resources and create and manage all Pegasus QA resources.
Project Unicorn Engineering access-project = uni access-team = eng cost-center = 123456 access-uni-engineering Allows engineers to read all engineering resources and create and manage Unicorn engineering resources.
Project Unicorn Quality Assurance access-project = uni access-team = qas cost-center = 123456 access-uni-quality-assurance Allows the QA team to read all QA resources and create and manage all Unicorn QA resources.

Test Creating Secrets

The permissions policy attached to the roles allows the employees to create secrets. This is allowed only if the secret is tagged with their project, team, and cost center. Confirm that your permissions are working as expected by signing in as your users, assuming the correct role, and testing activity in Secrets Manager.

To test creating a secret with and without the required tags

  • In your main browser window, remain signed in as the administrator user so that you can review users, roles, and policies in IAM. Use a browser incognito window or separate browser for your testing. There, sign in as the access-Arnav-peg-eng IAM user and open the Secrets Manager console
  • Attempt to switch to the access-uni-engineering role

This operation fails because the access-project and cost-center tag values do not match for the access-Arnav-peg-eng user and access-uni-engineering role.

  • Switch to the access-peg-engineering role.
  • Store a new secret using the following information.
    • In the Select secret type section, choose Other type of secrets. In the two text boxes, enter test-access-key and test-access-secret.
    • Enter test-access-peg-eng for the Secret name field.
    • Add different tag combinations from the following table and view the expected behavior.
    • Choose Store to attempt to create the secret. When the storage fails, return to the previous Secrets Manager console pages and use the next tag set from the following table. The last tag set is allowed and will successfully create the secret.
access-project Tag Value access-team Tag Value cost-center Tag Value Additional Tags Expected Behavior
(none) (none) (none) (none) Denied because the access-project tag value does not match the role's value of peg.
uni eng 987654 (none) Denied because the access-project tag value does not match the role's value of peg.
peg qas 987654 (none) Denied because the access-team tag value does not match the role's value of eng.
peg eng 123456 (none) Denied because the cost-center tag value does not match the role's value of 987654.
peg eng 987654 Name = Jane Allowed because all three required tags are present and their values match the role's values. You are also allowed to include the optional Name tag.

Summary

You've now successfully completed all of the steps necessary to use tags for attribute-based access control (ABAC). You've learned how to define a tagging strategy. You applied that strategy to your principals and resources. You created and applied a policy that enforces the strategy for Secrets Manager.