apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-secretstore-aws-provider
spec:
  validationFailureAction: Enforce
  rules:
  - name: require-secretstore-aws-provider
    match:
      any:
      - resources:
          kinds:
          - SecretStore
          - ClusterSecretStore
    validate:
      message: "You must only use AWS SecretsManager"
      pattern:
        spec:
          provider:
            aws:
              service: SecretsManager