Skip to content
Threat Feed
medium advisory

AWS Secrets Manager Rapid Secrets Retrieval Attempts

Compromised AWS credentials may be used to rapidly retrieve multiple secrets from AWS Secrets Manager in order to escalate privileges or move laterally within the environment.

This detection identifies rapid secret retrieval activity from AWS Secrets Manager, specifically when a single user identity retrieves 20 or more unique secrets within a short timeframe using the GetSecretValue API. This behavior is indicative of potential credential compromise, where an adversary may attempt to enumerate and exfiltrate secrets in bulk to escalate privileges, move laterally, or establish persistence. While legitimate application initialization or CI/CD pipelines may involve retrieving multiple secrets, such activity typically originates from known service roles, expected source IP ranges, or specific application identities. This detection helps security teams identify and respond to potential unauthorized access to sensitive credentials stored in AWS Secrets Manager.

Attack Chain

  1. An adversary compromises AWS credentials, such as an IAM user, instance role, or temporary credentials.
  2. The adversary uses the compromised credentials to authenticate to the AWS environment.
  3. The adversary leverages the GetSecretValue API of AWS Secrets Manager to request multiple secrets.
  4. The adversary iterates through different SecretId values within the API requests to retrieve unique secrets.
  5. AWS CloudTrail logs each successful GetSecretValue API call, recording the user identity, source IP, and requested SecretId.
  6. The detection rule identifies user identities that retrieve 20 or more unique secrets within the defined time window (6 minutes).
  7. The adversary gains access to sensitive information, such as database passwords, API keys, or OAuth tokens.
  8. The adversary uses the retrieved secrets to escalate privileges, move laterally, or establish persistence within the AWS environment.

Impact

A successful attack can lead to unauthorized access to sensitive data stored within AWS Secrets Manager, including database passwords, API keys, and other credentials. This may enable attackers to compromise other systems and resources within the AWS environment, leading to data breaches, service disruptions, or other security incidents. If successful, an attacker can move laterally within the cloud infrastructure and gain a foothold to further compromise cloud assets.

Recommendation

  • Deploy the following Sigma rule to your SIEM to detect rapid secret retrieval attempts from AWS Secrets Manager and tune the threshold for your environment.
  • Investigate and validate any alerts generated by the Sigma rule, focusing on identifying the source of the activity and the secrets that were accessed.
  • Restrict permissions to Secrets Manager following the principle of least privilege to minimize the impact of compromised credentials.
  • Rotate all accessed secrets and update dependent systems if unauthorized access is confirmed.
  • Review CloudTrail logs for any suspicious follow-on activity using the retrieved secrets.
  • Implement exceptions based on known service roles, expected source IP ranges, or specific application identities tied to secret orchestration to reduce false positives.

Detection coverage 2

AWS Secrets Manager Rapid Secrets Retrieval

medium

Detects rapid secret retrieval activity from AWS Secrets Manager using the GetSecretValue API, indicating potential credential compromise.

sigma tactics: credential_access techniques: T1555.006 sources: cloudtrail, aws, cloudtrail

AWS Secrets Manager Enumeration via ListSecrets

low

Detects attempts to enumerate secrets within AWS Secrets Manager using the ListSecrets API call, potentially indicating reconnaissance activity.

sigma tactics: reconnaissance techniques: T1068 sources: cloudtrail, aws, cloudtrail

Detection queries are available on the platform. Get full rules →