{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllActionsSecretsManagerSameProjectSameTeam",
      "Effect": "Allow",
      "Action": "secretsmanager:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/access-project": "${aws:PrincipalTag/access-project}",
          "aws:ResourceTag/access-team": "${aws:PrincipalTag/access-team}",
          "aws:ResourceTag/cost-center": "${aws:PrincipalTag/cost-center}"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "access-project",
            "access-team",
            "cost-center",
            "Name",
            "OwnedBy"
          ]
        },
        "StringEqualsIfExists": {
          "aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}",
          "aws:RequestTag/access-team": "${aws:PrincipalTag/access-team}",
          "aws:RequestTag/cost-center": "${aws:PrincipalTag/cost-center}"
        }
      }
    },
    {
      "Sid": "AllResourcesSecretsManagerNoTags",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetRandomPassword",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ReadSecretsManagerSameTeam",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:Describe*",
        "secretsmanager:Get*",
        "secretsmanager:List*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/access-team": "${aws:PrincipalTag/access-team}"
        }
      }
    },
    {
      "Sid": "DenyUntagSecretsManagerReservedTags",
      "Effect": "Deny",
      "Action": "secretsmanager:UntagResource",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:TagKeys": "access-*"
        }
      }
    },
    {
      "Sid": "DenyPermissionsManagement",
      "Effect": "Deny",
      "Action": "secretsmanager:*Policy",
      "Resource": "*"
    }
  ]
}