Retrieve a High Number of Secrets Manager secrets
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Credential Access
Description
Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue.
Warm-up:
- Create multiple secrets in Secrets Manager.
Detonation:
- Enumerate the secrets through secretsmanager:ListSecrets
- Retrieve each secret value, one by one through secretsmanager:GetSecretValue
Instructions
Detonate with Stratus Red Team
stratus detonate aws.credential-access.secretsmanager-retrieve-secrets
Detection
Identify principals retrieving a high number of secrets, through CloudTrail's GetSecretValue event.
The following may be use to tune the detection, or validate findings:
- Principals who do not usually call secretsmanager:GetSecretValue
- Attempts to call GetSecretValue resulting in access denied errors