我一直致力于跨多个应用程序更新我们的 CF 堆栈,以启用 FIPS-140;它可以很好地在 AMI 烘焙作业上启用 FIPS。但是,一旦从管道部署应用程序,它就无法与 Secretsmanager 一起使用,有什么想法吗?
使用本指南进行 fips:https://aws.amazon.com/compliance/fips/
Policies:
- PolicyName: ApiAccessForAssetInstances
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'cloudwatch:PutMetricData'
- 'logs:PutLogEvents'
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'secretsmanager:GetSecretValue'
Resource: '*'
- Effect: Allow
Action:
- 's3:AbortMultipartUpload'
- 's3:DeleteObject*'
- 's3:PutObject*'
- 's3:RestoreObject'
Resource:
- !Sub "arn:aws:s3:::${AssetGroup}-services-product-newlexis-${EnvType}-us-east-1/*"
- !Sub "arn:aws:s3:::${AssetGroup}-services-product-newlexis-${EnvType}-us-east-1"
- !Sub "arn:aws:s3:::services-configs.${EnvType}"
- !Sub "arn:aws:s3:::services-configs.${EnvType}/*"