0

I have been working on updating our CF Stack across multiple applications to be FIPS-140 enabled; which is working fine for enabling FIPS on the AMI bake jobs. However, once the application is deployed from the pipeline it is failing to work with secretsmanager, any ideas?

Using this guide for fips: https://aws.amazon.com/compliance/fips/

 Policies:
        - PolicyName: ApiAccessForAssetInstances
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'cloudwatch:PutMetricData'
                  - 'logs:PutLogEvents'
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'secretsmanager:GetSecretValue'
                Resource: '*'
              - Effect: Allow
                Action:
                  - 's3:AbortMultipartUpload'
                  - 's3:DeleteObject*'
                  - 's3:PutObject*'
                  - 's3:RestoreObject'
                Resource:
                  - !Sub "arn:aws:s3:::${AssetGroup}-services-product-newlexis-${EnvType}-us-east-1/*"
                  - !Sub "arn:aws:s3:::${AssetGroup}-services-product-newlexis-${EnvType}-us-east-1"
                  - !Sub "arn:aws:s3:::services-configs.${EnvType}"
                  - !Sub "arn:aws:s3:::services-configs.${EnvType}/*"
ianhalfpenny
  • 1
  • Can you be more specific? What exactly are you doing with Secrets Manager, and how does the result you get not match the result you expect? – Sotto Voce Sep 23 '22 at 16:45
  • @SottoVoce Just updated with the CF template code. Essentially it is a Java application that gets secret value from secretsmanager – ianhalfpenny Sep 23 '22 at 17:31
  • Looks good, but I still can't see the result you expected vs. the result you got. Is that lone Secrets Manager permission all the process needs? It doesn't need ListSecrets as well? (some libraries like to list before getting) – Sotto Voce Sep 23 '22 at 18:33
  • @SottoVoce can we connect somewhere else so I can send you all the code? – ianhalfpenny Sep 24 '22 at 22:39

0 Answers0