---
layout: default
---
## AWS Secrets Manager
| Identifier | Guardrail | Rationale | Remediation | References | IAM Actions |
|:------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------|
| IAM-SECRETSMANAGER-1 | Check that DeleteSecret is appropriately scoped and for authorized principals. | Deleting a secret makes the secret immediately inaccessible and could impact applications that depend on the secret. | Check that Only authorized principals can invoke DeleteSecret Scope using secretsmanager:SecretId secretsmanager:AllowRotationLambdaArn or with a tag secretsmanager:ResourceTag/Optionally prevent disabling of the recovery window using theconditionssecretsmanager:ForceDeleteWithoutRecovery and secretsmanager:RecoveryWindowInDays | [https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-restore-secret.html](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-restore-secret.html)
[https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery)
[https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-contextkeys)
| secretsmanager:DeleteSecret
|
| IAM-SECRETSMANAGER-2 | Check that only authorized principals are able to retrieve a secret value. | Sensitive or confidential information (e.g., credentials) would be expected to be stored in AWS Secrets Manager. Ensuring only authorized access reduces the risk of unauthorized access. | Check that only authorized principals can invoke GetSecretValue. Specify the Secret Resource Arn. Also, scope using the Condition key secretsmanager:SecretId or secretsmanager:ResourceTag/ | [https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html)
[https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-contextkeys](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-contextkeys)
| secretsmanager:GetSecretValue
|
| IAM-SECRETSMANAGER-3 | Check for separation of duties between managing a secret and reading or writing to a secret. | An administrator is required to manage creating secret via CreateSecret. Though populating the secret value including both reading GetSecretValue and writing the secret PutSecretValue should be performed by a separate principal, ideally only automation should be generating a (random) secret value and rotating the secret. Separating out the management from actually viewing the secret data reduces the risk of unauthorized access. | Check that the administration CreateSecret principal is separate from the secret value principal GetSecretValue and PutSecretValue. | | secretsmanager:CreateSecret
|