Skip to content

Commit

Permalink
Reduce Secret Manage IAM Access (#10)
Browse files Browse the repository at this point in the history 
* updated secret manager iam access

* changelog
  • Loading branch information
@daidokoro
daidokoro authored Dec 26, 2023
1 parent 73c8212 commit bf8d80b
Show file tree
Hide file tree
Showing 2 changed files with 111 additions and 16 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

### 🧰 Bug fixes 🧰
- Fixed readme badge link for version
- Reduce Secret Manage IAM permissions

## v0.0.2 Beta / 2023-13-15

Expand Down
126 changes: 110 additions & 16 deletions template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,8 +285,14 @@ Conditions:
IsCustomDomain: !Equals [ !Ref CoralogixRegion, Custom ]
S3KeyPrefixIsSet: !Not [ !Equals [ !Ref S3KeyPrefix, '' ] ]
S3SuffixIsSet: !Not [ !Equals [ !Ref S3KeySuffix, '' ] ]
IsCloudTrailIntegration: !Equals [ !Ref IntegrationType, 'CloudTrail' ]
# IsCloudTrailIntegration: !Equals [ !Ref IntegrationType, 'CloudTrail' ]
IsApiKeyNotArn: !Equals [!Ref ApiKey , !Select [0,!Split [":" , !Ref ApiKey]]]
ApiKeyIsArn: !Not [!Condition IsApiKeyNotArn]
UseCloudwatchLogsWithSecretPolicy: !And
- !Condition UseCloudwatchLogs
- !Or
- !Condition StoreAPIKeyInSecretsManager
- !Condition ApiKeyIsArn
# IsVPCFlowLogsIntegration: !Equals [ !Ref IntegrationType, 'VpcFlow' ]
UseAWSDefaultPrefix: !Or
- !Equals [ !Ref IntegrationType, 'VpcFlow' ]
Expand Down Expand Up @@ -330,6 +336,7 @@ Conditions:
UseSNSTopicARNWithNotification: !And
- !Condition UseSNSTopicARN
- !Condition IsNotificationEnabled


Rules:
ValidateCloudWatchLogs:
Expand Down Expand Up @@ -471,11 +478,29 @@ Resources:
Policies:
- S3ReadPolicy:
BucketName: !Ref S3BucketName
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*'
- !If
- ApiKeyIsArn
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Ref ApiKey
- !If
- StoreAPIKeyInSecretsManager
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Ref Secret
# Note, this is a hack to get around the fact that you can't have a condition on a policy
# If the Apikey is not an ARn or we are not storing the key in secrets manager, then we don't need access
# to secrets manager
- Statement:
- Effect: Deny
Action:
- 'secretsmanager:GetSecretValue'
Resource: '*'


LambdaLogGroupDefault:
Condition: UseDefault
Expand Down Expand Up @@ -545,11 +570,28 @@ Resources:
- !Ref AWS::NoValue
- S3ReadPolicy:
BucketName: !Ref S3BucketName
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*'
- !If
- ApiKeyIsArn
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Ref ApiKey
- !If
- StoreAPIKeyInSecretsManager
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Ref Secret
# Note, this is a hack to get around the fact that you can't have a condition on a policy
# If the Apikey is not an ARn or we are not storing the key in secrets manager, then we don't need access
# to secrets manager
- Statement:
- Effect: Deny
Action:
- 'secretsmanager:GetSecretValue'
Resource: '*'
EventInvokeConfig:
DestinationConfig:
OnFailure:
Expand Down Expand Up @@ -601,16 +643,68 @@ Resources:
Properties:
CodeUri: .
Policies:
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*'
- !If
- ApiKeyIsArn
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Ref ApiKey
- !If
- StoreAPIKeyInSecretsManager
- Statement:
- Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource: !Ref Secret
# Note, this is a hack to get around the fact that you can't have a condition on a policy
# If the Apikey is not an ARn or we are not storing the key in secrets manager, then we don't need access
# to secrets manager
- Statement:
- Effect: Deny
Action:
- 'secretsmanager:GetSecretValue'
Resource: '*'

# - !If
# - ApiKeyIsArn
# - Statement:
# - Effect: Allow
# Action:
# - 'secretsmanager:GetSecretValue'
# Resource: !Ref ApiKey
# - !If
# - StoreAPIKeyInSecretsManager
# - Statement:
# - Effect: Allow
# Action:
# - 'secretsmanager:GetSecretValue'
# Resource: !Ref Secret
# - !Ref AWS::NoValue
EventInvokeConfig:
DestinationConfig:
OnFailure:
Type: SNS

LambdaFunctionCloudwatchLogsPolicies:
Condition: UseCloudwatchLogsWithSecretPolicy
Type: "AWS::IAM::ManagedPolicy"
Properties:
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "secretsmanager:GetSecretValue"
Resource: !If
- ApiKeyIsArn
- !Ref ApiKey
- !If
- StoreAPIKeyInSecretsManager
- !Ref Secret
- !Ref AWS::NoValue

LambdaLogGroupCloudwatchLogs:
Condition: UseCloudwatchLogs
DeletionPolicy: Retain
Expand Down

0 comments on commit bf8d80b

Please sign in to comment.