AWS Systems Manager SecureString Parameter Request with Decryption Flag
This rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true, potentially indicating credential access.
This detection identifies when an AWS resource interacts with AWS Systems Manager (SSM) SecureString parameters and requests decryption. SecureStrings, encrypted using KMS keys, protect sensitive information like encryption keys, passwords, and credentials. An adversary gaining unauthorized access and decrypting these strings could bypass security controls and expose plaintext values for immediate misuse or exfiltration. The rule focuses on GetParameter or GetParameters API actions, specifically when the withDecryption parameter is set to true. This activity could signal a broader attack involving privilege escalation or lateral movement. The rule aims to detect the initial occurrence of such access, providing early warning of potential credential compromise. This detection rule was last updated on 2026-04-10.
Attack Chain
- An attacker gains initial access to an AWS environment through compromised credentials or a misconfigured IAM role (TA0001).
- The attacker attempts to discover sensitive information stored as SecureString parameters within AWS Systems Manager (SSM) (T1555).
- The attacker uses the AWS CLI or SDK to call the
GetParameterorGetParametersAPI actions targeting specific SecureString parameters. - The attacker sets the
withDecryptionparameter to true in the API request, indicating a desire to retrieve the plaintext value of the SecureString. - The AWS SSM service processes the request and decrypts the SecureString using the appropriate KMS key.
- The decrypted value is returned to the attacker as part of the API response.
- The attacker uses the retrieved credentials or sensitive information for unauthorized activities, such as lateral movement, data exfiltration, or resource manipulation (TA0006).
- The attacker may attempt to further obfuscate their actions by deleting CloudTrail logs or modifying SSM parameter access policies (TA0005).
Impact
Successful exploitation could lead to the exposure of sensitive credentials, including passwords, API keys, and database connection strings. This would allow an attacker to escalate privileges, move laterally within the AWS environment, and potentially gain access to critical systems and data. The impact ranges from data breaches and service disruption to complete compromise of the AWS account. The risk score associated with this behavior is 47, indicating a significant potential for damage.
Recommendation
- Deploy the Sigma rule "AWS SSM SecureString Parameter Request with Decryption Flag" to your SIEM and tune for your environment to detect suspicious decryption requests of SecureStrings.
- Enable AWS CloudTrail logs and configure the AWS integration to ingest them into your SIEM to provide the necessary data source for the Sigma rule above.
- Enable event logging for AWS Systems Manager (SSM) API actions within CloudTrail's data events settings to ensure comprehensive coverage.
- Review and revise IAM permissions to adhere to the principle of least privilege, restricting access to SSM parameters only to authorized users and roles (reference the "Possible Investigation Steps" in the content section).
- Audit SSM parameter access policies to ensure they are strict and that logging is enabled to track access with decryption (reference the "Audit Parameter Access Policies" section).
Detection coverage 2
AWS SSM SecureString Parameter Request with Decryption Flag
mediumDetects an AWS identity accessing SecureString parameters in SSM with the withDecryption flag set to true.
AWS SSM GetParameter without Encryption in transit flag
lowDetects when AWS SSM GetParameter action is done without encryption in transit
Detection queries are available on the platform. Get full rules →