Skip to content

AWS Retrieve a High Number of Secrets Manager secrets

Platform: AWS


  • Credential Access


Lists the secrets stored in Secrets Manager and retrieves (20) secret values

Attacker Actions:

  • First, lists the secrets stored in Secrets Manager in the current region.
  • Secondly, retrieves the values of (20) secrets stored in Secrets Manager
  • Resulting event names:
    • ListSecrets
    • GetSecretValue
  • Assigned IAM Permission:
    • secretsmanager:ListSecrets
    • secretsmanager:GetSecretValue

Workflow Inputs:

Specify which user this attack should run as.


Clean Up:


Execution Instructions

  • See User Guide for Execution Instructions via the Google Cloud Console
  • Programmatically execute this workflow with the following cli command:
gcloud workflows run aws-delete-cloudtrail-trail `--data={"user": "user01"}` 

Detection Artifacts

Identify principals retrieving a high number of secrets, through CloudTrail's GetSecretValue event.