Retrieve a High Number of Secrets Manager secrets
MITRE ATT&CK Tactics
- Credential Access
Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue.
- Create multiple secrets in Secrets Manager.
- Enumerate the secrets through secretsmanager:ListSecrets
- Retrieve each secret value, one by one through secretsmanager:GetSecretValue
Identify principals retrieving a high number of secrets, through CloudTrail's GetSecretValue event.
The following may be use to tune the detection, or validate findings:
- Principals who do not usually call secretsmanager:GetSecretValue
- Attempts to call GetSecretValue resulting in access denied errors