feat(aws): add check secretsmanager_has_restrictive_resource_policy

prowler/CHANGELOG.md

@@ -16,6 +16,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - SecNumCloud 3.2 for the Azure provider [(#10358)](https://github.com/prowler-cloud/prowler/pull/10358)
 - SecNumCloud 3.2 for the Alibaba Cloud provider [(#10370)](https://github.com/prowler-cloud/prowler/pull/10370)
 - SecNumCloud 3.2 for the Oracle Cloud provider [(#10371)](https://github.com/prowler-cloud/prowler/pull/10371)
+- `secretsmanager_has_restrictive_resource_policy` check for AWS provider [(#6985)](https://github.com/prowler-cloud/prowler/pull/6985)
 
 ### 🔄 Changed
 

prowler/config/config.yaml

@@ -135,6 +135,7 @@ aws:
   # ]
   organizations_enabled_regions: []
   organizations_trusted_delegated_administrators: []
+  organizations_trusted_ids: []
 
   # AWS ECR
   # aws.ecr_repositories_scan_vulnerabilities_in_latest_image

prowler/providers/aws/services/secretsmanager/secretsmanager_has_restrictive_resource_policy/secretsmanager_has_restrictive_resource_policy.metadata.json

@@ -0,0 +1,41 @@
+{
+  "Provider": "aws",
+  "CheckID": "secretsmanager_has_restrictive_resource_policy",
+  "CheckTitle": "Secrets Manager secret has a restrictive resource-based policy",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Exposure"
+  ],
+  "ServiceName": "secretsmanager",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name",
+  "Severity": "high",
+  "ResourceType": "AwsSecretsManagerSecret",
+  "ResourceGroup": "security",
+  "Description": "**AWS Secrets Manager secrets** are evaluated for **restrictive resource-based policies**. The policy must include an explicit **Deny** for unauthorized principals, restrict access to the **AWS Organization**, limit each principal to **specific actions** via `NotAction`, and constrain AWS service access with `aws:SourceAccount`.",
+  "Risk": "Without a restrictive resource policy, **any IAM principal** in the account—or even **cross-account entities**—can read, modify, or delete the secret, compromising **confidentiality** and **integrity**. Overly broad policies enable **lateral movement** and **privilege escalation** through exposed credentials.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html",
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aws secretsmanager put-resource-policy --secret-id <example_resource_id> --resource-policy file://policy.json",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::SecretsManager::ResourcePolicy\n    Properties:\n      SecretId: <example_resource_id>\n      ResourcePolicy:  # Critical: deny-by-default with explicit exceptions\n        Version: '2012-10-17'\n        Statement:\n          - Effect: Deny\n            Principal: '*'\n            Action: '*'\n            Resource: '*'\n            Condition:\n              StringNotEquals:\n                aws:PrincipalArn: <AUTHORIZED_ROLE_ARN>\n```",
+      "Other": "1. Open AWS Console > Secrets Manager\n2. Select the secret > Overview tab > Resource permissions > Edit permissions\n3. Add a **Deny** statement for `Principal: *` with `StringNotEquals` condition listing only authorized `aws:PrincipalArn` values\n4. Add a **Deny** statement with `StringNotEquals` on `aws:PrincipalOrgID` to block access from outside your organization\n5. For each authorized principal, add a **Deny** with `NotAction` listing only the specific actions they need\n6. Save the policy",
+      "Terraform": "```hcl\nresource \"aws_secretsmanager_secret_policy\" \"<example_resource_name>\" {\n  secret_arn = \"<example_resource_id>\"\n  policy = jsonencode({  # Critical: deny-by-default with explicit exceptions\n    Version = \"2012-10-17\"\n    Statement = [\n      {\n        Effect    = \"Deny\"\n        Principal = \"*\"\n        Action    = \"*\"\n        Resource  = \"*\"\n        Condition = {\n          StringNotEquals = {\n            \"aws:PrincipalArn\" = [\"<AUTHORIZED_ROLE_ARN>\"]\n          }\n        }\n      }\n    ]\n  })\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Apply **deny-by-default** resource policies to every secret:\n- Deny all principals except explicitly authorized roles via `StringNotEquals` on `aws:PrincipalArn`\n- Deny access from outside the AWS Organization via `aws:PrincipalOrgID`\n- Restrict each authorized principal to **least-privilege actions** using `NotAction`\n- Constrain AWS service access with `aws:SourceAccount`",
+      "Url": "https://hub.prowler.com/check/secretsmanager_has_restrictive_resource_policy"
+    }
+  },
+  "Categories": [
+    "secrets",
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check enforces a strict deny-by-default pattern for Secrets Manager resource policies. It validates four layered controls: (1) an explicit Deny for all unauthorized principals, (2) an organization boundary via PrincipalOrgID, (3) per-principal action restrictions via NotAction, and (4) SourceAccount constraints for AWS service principals. Cross-account Allow statements cause the check to fail intentionally to surface expanded trust boundaries for review."
+}