Prevent Amazon Secrets Manager replication - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prevent Amazon Secrets Manager replication

Because secrets can be replicated using ReplicateSecretToRegions or when they are created using CreateSecret, if you want to prevent users from replicating secrets, we recommend you prevent actions that contain the AddReplicaRegions parameter. You can use a Condition statement in your permission policies to only allow actions that don't add replica regions. See the following policy examples for Condition statements you can use.

Example Prevent replication permission

The following policy example shows how to allow all actions that don't add replica regions. This prevents users from replicating secrets through both ReplicateSecretToRegions and CreateSecret.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:*",
      "Resource": "*",
      "Condition": {
        "Null": {
          "secretsmanager:AddReplicaRegions": "true"
        }
      }
    }
  ]
}
Example Allow replication permission only to specific Regions

The following policy shows how to allow all of the following:

  • Create secrets without replication

  • Create secrets with replication to Regions only in United States and Canada

  • Replicate secrets to Regions only in United States and Canada 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:CreateSecret",
        "secretsmanager:ReplicateSecretToRegions"
      ],
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringLike": {
          "secretsmanager:AddReplicaRegions": [
            "us-*",
            "ca-*"
          ]
        }
      }
    }
  ]
}