chore(aws): adapt metadata to new standard per metadata guidelines

kagahd · kagahd · commit 683b4f877cfd · 2026-03-19T18:10:14.000+01:00
diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_has_restrictive_resource_policy/secretsmanager_has_restrictive_resource_policy.metadata.json b/prowler/providers/aws/services/secretsmanager/secretsmanager_has_restrictive_resource_policy/secretsmanager_has_restrictive_resource_policy.metadata.json
@@ -1,34 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "secretsmanager_has_restrictive_resource_policy",
-  "CheckTitle": "Ensure Secrets Manager secrets have restrictive resource-based policies.",
+  "CheckTitle": "Secrets Manager secret has a restrictive resource-based policy",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "secretsmanager",
   "SubServiceName": "",
   "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name",
   "Severity": "high",
   "ResourceType": "AwsSecretsManagerSecret",
-  "Description": "This check verifies whether Secrets Manager secrets have resource-based policies that restrict access.",
-  "Risk": "Secrets without restrictive resource-based policies may be accessed by unauthorized entities, leading to potential data breaches.",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html",
+  "ResourceGroup": "security",
+  "Description": "**AWS Secrets Manager secrets** are evaluated for **restrictive resource-based policies**. The policy must include an explicit **Deny** for unauthorized principals, restrict access to the **AWS Organization**, limit each principal to **specific actions** via `NotAction`, and constrain AWS service access with `aws:SourceAccount`.",
+  "Risk": "Without a restrictive resource policy, **any IAM principal** in the account—or even **cross-account entities**—can read, modify, or delete the secret, compromising **confidentiality** and **integrity**. Overly broad policies enable **lateral movement** and **privilege escalation** through exposed credentials.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html",
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws secretsmanager put-resource-policy --secret-id <example_resource_id> --resource-policy file://policy.json",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::SecretsManager::ResourcePolicy\n    Properties:\n      SecretId: <example_resource_id>\n      ResourcePolicy:  # Critical: deny-by-default with explicit exceptions\n        Version: '2012-10-17'\n        Statement:\n          - Effect: Deny\n            Principal: '*'\n            Action: '*'\n            Resource: '*'\n            Condition:\n              StringNotEquals:\n                aws:PrincipalArn: <AUTHORIZED_ROLE_ARN>\n```",
+      "Other": "1. Open AWS Console > Secrets Manager\n2. Select the secret > Overview tab > Resource permissions > Edit permissions\n3. Add a **Deny** statement for `Principal: *` with `StringNotEquals` condition listing only authorized `aws:PrincipalArn` values\n4. Add a **Deny** statement with `StringNotEquals` on `aws:PrincipalOrgID` to block access from outside your organization\n5. For each authorized principal, add a **Deny** with `NotAction` listing only the specific actions they need\n6. Save the policy",
+      "Terraform": "```hcl\nresource \"aws_secretsmanager_secret_policy\" \"<example_resource_name>\" {\n  secret_arn = \"<example_resource_id>\"\n  policy = jsonencode({  # Critical: deny-by-default with explicit exceptions\n    Version = \"2012-10-17\"\n    Statement = [\n      {\n        Effect    = \"Deny\"\n        Principal = \"*\"\n        Action    = \"*\"\n        Resource  = \"*\"\n        Condition = {\n          StringNotEquals = {\n            \"aws:PrincipalArn\" = [\"<AUTHORIZED_ROLE_ARN>\"]\n          }\n        }\n      }\n    ]\n  })\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that Secrets Manager policies restrict access to authorized principals only, following the Principle of Least Privilege.",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html"
+      "Text": "Apply **deny-by-default** resource policies to every secret:\n- Deny all principals except explicitly authorized roles via `StringNotEquals` on `aws:PrincipalArn`\n- Deny access from outside the AWS Organization via `aws:PrincipalOrgID`\n- Restrict each authorized principal to **least-privilege actions** using `NotAction`\n- Constrain AWS service access with `aws:SourceAccount`",
+      "Url": "https://hub.prowler.com/check/secretsmanager_has_restrictive_resource_policy"
     }
   },
   "Categories": [
-    "access-control"
+    "secrets",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "This check enforces a strict deny-by-default pattern for Secrets Manager resource policies. It validates four layered controls: (1) an explicit Deny for all unauthorized principals, (2) an organization boundary via PrincipalOrgID, (3) per-principal action restrictions via NotAction, and (4) SourceAccount constraints for AWS service principals. Cross-account Allow statements cause the check to fail intentionally to surface expanded trust boundaries for review."
 }
