AWS Secrets Manager Rapid Secrets Retrieval Attempts
Compromised AWS credentials may be used to rapidly retrieve multiple secrets from AWS Secrets Manager in order to escalate privileges or move laterally within the environment.
This detection identifies rapid secret retrieval activity from AWS Secrets Manager, specifically when a single user identity retrieves 20 or more unique secrets within a short timeframe using the GetSecretValue API. This behavior is indicative of potential credential compromise, where an adversary may attempt to enumerate and exfiltrate secrets in bulk to escalate privileges, move laterally, or establish persistence. While legitimate application initialization or CI/CD pipelines may involve retrieving multiple secrets, such activity typically originates from known service roles, expected source IP ranges, or specific application identities. This detection helps security teams identify and respond to potential unauthorized access to sensitive credentials stored in AWS Secrets Manager.
Attack Chain
- An adversary compromises AWS credentials, such as an IAM user, instance role, or temporary credentials.
- The adversary uses the compromised credentials to authenticate to the AWS environment.
- The adversary leverages the
GetSecretValueAPI of AWS Secrets Manager to request multiple secrets. - The adversary iterates through different
SecretIdvalues within the API requests to retrieve unique secrets. - AWS CloudTrail logs each successful
GetSecretValueAPI call, recording the user identity, source IP, and requestedSecretId. - The detection rule identifies user identities that retrieve 20 or more unique secrets within the defined time window (6 minutes).
- The adversary gains access to sensitive information, such as database passwords, API keys, or OAuth tokens.
- The adversary uses the retrieved secrets to escalate privileges, move laterally, or establish persistence within the AWS environment.
Impact
A successful attack can lead to unauthorized access to sensitive data stored within AWS Secrets Manager, including database passwords, API keys, and other credentials. This may enable attackers to compromise other systems and resources within the AWS environment, leading to data breaches, service disruptions, or other security incidents. If successful, an attacker can move laterally within the cloud infrastructure and gain a foothold to further compromise cloud assets.
Recommendation
- Deploy the following Sigma rule to your SIEM to detect rapid secret retrieval attempts from AWS Secrets Manager and tune the threshold for your environment.
- Investigate and validate any alerts generated by the Sigma rule, focusing on identifying the source of the activity and the secrets that were accessed.
- Restrict permissions to Secrets Manager following the principle of least privilege to minimize the impact of compromised credentials.
- Rotate all accessed secrets and update dependent systems if unauthorized access is confirmed.
- Review CloudTrail logs for any suspicious follow-on activity using the retrieved secrets.
- Implement exceptions based on known service roles, expected source IP ranges, or specific application identities tied to secret orchestration to reduce false positives.
Detection coverage 2
AWS Secrets Manager Rapid Secrets Retrieval
mediumDetects rapid secret retrieval activity from AWS Secrets Manager using the GetSecretValue API, indicating potential credential compromise.
AWS Secrets Manager Enumeration via ListSecrets
lowDetects attempts to enumerate secrets within AWS Secrets Manager using the ListSecrets API call, potentially indicating reconnaissance activity.
Detection queries are available on the platform. Get full rules →