nextgentechguru

from aws_cdk import aws_events as events, aws_events_targets as targets, aws_ssm as ssm

# In stack
governance_rule = events.Rule(
    self, "GovernanceRule",
    event_pattern={
        "source": ["aws.config"],
        "detail": {
            "configRuleName": ["secretsmanager-secret-unused"],
            "newEvaluationResult": {"complianceType": ["NON_COMPLIANT"]}

nextgentechguru

from aws_cdk import aws_config as config

# Add to SecretsGovernanceStack
unused_rule = config.CfnConfigRule(
    self, "UnusedSecretsDetection",
    config_rule_name="secretsmanager-secret-unused",
    description="Flags secrets unused >90 days",
    source=config.CfnConfigRule.SourceProperty(
        owner="AWS",
        source_identifier="SECRETSMANAGER_SECRET_UNUSED",

nextgentechguru

resource "aws_iam_policy" "secret_tagging_deny" {
  name        = "DenyUntaggedSecrets"
  description = "Deny secret creation without tags"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Deny"
        Action    = ["secretsmanager:CreateSecret", "secretsmanager:TagResource"]