1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
There are several ways you could achieve this.
You could use a customer managed KMS Key and only allow decrypt for the roles/users that require the secrect. EG, if you have a lambda function, allow that execution role decrypt on the KMS Key thats used to encrypt the secret but you could allow encrypt for administrators. To do this you would also have to restrict ROOT also on the KMS key with removing decrypt also. If not, IAM Administrators will still have decrypt.
You could place a IAM Policy on the adminsitrator group with a DENY for GetSecretValue on particular resources.
You could have an SCP in place on the Account/OU If in an org to prevent decrypt or get secret value on the Secrets in question
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
- Réponse acceptéedemandé il y a 2 ans
- AWS OFFICIELA mis à jour il y a 10 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 3 ans