Skip to content

Retrieve a High Number of Secrets Manager secrets

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Credential Access

Description

Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue.

Warm-up:

  • Create multiple secrets in Secrets Manager.

Detonation:

  • Enumerate the secrets through secretsmanager:ListSecrets
  • Retrieve each secret value, one by one through secretsmanager:GetSecretValue

Instructions

Detonate with Stratus Red Team
stratus detonate aws.credential-access.secretsmanager-retrieve-secrets

Detection

Identify principals retrieving a high number of secrets, through CloudTrail's GetSecretValue event.

The following may be use to tune the detection, or validate findings:

  • Principals who do not usually call secretsmanager:GetSecretValue
  • Attempts to call GetSecretValue resulting in access denied errors