-
Notifications
You must be signed in to change notification settings - Fork 131
/
Copy pathcross-account-secret.yml
108 lines (93 loc) · 3.32 KB
/
cross-account-secret.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
AWSTemplateFormatVersion: '2010-09-09-OC'
# Include file that contains Organization Section.
# The Organization Section describes Accounts, Organizational Units, etc.
Organization: !Include ../organization.yml
# Any Binding that does not explicitly specify a region will default to this.
# Value can be either string or list
DefaultOrganizationBindingRegion: eu-central-1
Parameters:
resourcePrefix:
Type: String
Default: my
secretName:
Type: String
secretsAccount:
Type: String
Default: !Ref SharedComplianceAccount
# Section contains a named set of Bindings.
# Bindings determine what resources are deployed where
# These bindings can be !Ref'd from the Resources in the resource section
OrganizationBindings:
# Binding for: Secret, SecretKey, SecretResourcePolicy
SecretAccountBinding:
Account: !Ref secretsAccount
# Binding for: GetSecretValueIAMPolicy
GetSecretValueAccountBinding:
Account: '*'
ExcludeAccount: !Ref secretsAccount
Resources:
SecretKey:
Type: AWS::KMS::Key
OrganizationBinding: !Ref SecretAccountBinding
Properties:
Description: Used to encrypt cross account secrets.
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Sid: 'Account as owner'
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Sid: 'Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager'
Effect: Allow
Principal:
AWS: Fn::EnumTargetAccounts GetSecretValueAccountBinding arn:aws:iam::${account}:root
Action:
- kms:Decrypt
- kms:DescribeKey
Resource: '*'
Condition:
StringEquals:
kms:ViaService: !Sub 'secretsmanager.${AWS::Region}.amazonaws.com'
Secret:
Type: AWS::SecretsManager::Secret
OrganizationBinding: !Ref SecretAccountBinding
Properties:
Name: !Ref secretName
KmsKeyId: !Ref SecretKey
SecretResourcePolicy:
Type: AWS::SecretsManager::ResourcePolicy
OrganizationBinding: !Ref SecretAccountBinding
Properties:
SecretId: !Ref Secret
ResourcePolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: Fn::EnumTargetAccounts GetSecretValueAccountBinding arn:aws:iam::${account}:root
Action:
- secretsmanager:ListSecrets
- secretsmanager:DescribeSecret
- secretsmanager:GetSecretValue
Resource: '*'
GetSecretValueIAMPolicy:
Type: AWS::IAM::ManagedPolicy
OrganizationBinding: !Ref GetSecretValueAccountBinding
Properties:
ManagedPolicyName: !Sub '${resourcePrefix}-${secretName}-get-value-policy'
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: secretsmanager:GetSecretValue
Resource: Fn::EnumTargetRegions SecretAccountBinding arn:aws:secretsmanager:${region}:${secretsAccount}:secret:${secretName}-*
- Effect: Allow
Action:
- kms:Decrypt
- kms:DescribeKey
Resource: !GetAtt SecretKey.Arn