A Lambda function needs to read the current value of exactly one AWS Secrets Manager secret at startup. Which least-privilege IAM permission (action and resource scope) should you grant to the Lambda execution role?
Trap 1: secretsmanager:ListSecrets on all secrets (resource set to "*")
ListSecrets allows enumerating secrets. If the function already knows the specific secret it must read, enumeration is unnecessary and violates least privilege by granting access to potentially many secrets.
Trap 2: secretsmanager:UpdateSecret on the specific secret ARN
UpdateSecret grants write/update capabilities to the secret. The scenario requires reading only, so granting update permissions increases risk if the function code or execution role is compromised.
Trap 3: secretsmanager:DescribeSecret on all secrets (resource set to "*")
DescribeSecret returns metadata about a secret (for example, name/rotation settings) and does not provide the secret value itself. Using "*" is also broader than required.
- A
secretsmanager:ListSecrets on all secrets (resource set to "*")
Why wrong: ListSecrets allows enumerating secrets. If the function already knows the specific secret it must read, enumeration is unnecessary and violates least privilege by granting access to potentially many secrets.
- B
secretsmanager:GetSecretValue on only the secret’s full ARN
GetSecretValue is the specific action required to retrieve the secret value. Scoping the permission to the secret’s full ARN ensures the Lambda role can read only that secret and cannot access other secrets.
- C
secretsmanager:UpdateSecret on the specific secret ARN
Why wrong: UpdateSecret grants write/update capabilities to the secret. The scenario requires reading only, so granting update permissions increases risk if the function code or execution role is compromised.
- D
secretsmanager:DescribeSecret on all secrets (resource set to "*")
Why wrong: DescribeSecret returns metadata about a secret (for example, name/rotation settings) and does not provide the secret value itself. Using "*" is also broader than required.