Skip to content

Retrieve And Decrypt SSM Parameters

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Credential Access

Description

Retrieves and decrypts a high number (30) of SSM Parameters available in an AWS region.

Warm-up:

  • Create multiple SSM Parameters

Detonation:

  • Use ssm:DescribeParameters to list SSM Parameters in the current region
  • Use ssm:GetParameters by batch of 10 (maximal supported value) to retrieve the values of the SSM Parameters

Instructions

Detonate with Stratus Red Team
stratus detonate aws.credential-access.ssm-retrieve-securestring-parameters

Detection

Identify principals retrieving a high number of SSM Parameters, through CloudTrail's GetParameter and GetParameters events. It is especially suspicious when parameters of type SecretString are retrieved, indicated when requestParameters.withDecryption is set to true in the CloudTrail events.

The following may be use to tune the detection, or validate findings:

  • Principals who do not usually call ssm:GetParameter(s)
  • Attempts to call ssm:GetParameter(s) resulting in access denied errors