Skip to content

AWS Retrieve and Decrypt SSM Parameters

Platform: AWS


  • Credential Access


Describes the SSM Parameters in an Account and retrieves and decrypts (30) SSM Parameters available in an AWS region.

Attacker Actions:

  • First, lists the SSM Parameters in the current region.
  • Secondly, retrieves the values of (30) SSM Parameters.
  • Resulting event names:
    • DescribeParameters
    • GetParameter
  • Assigned IAM Permission:
    • ssm:DescribeParameters
    • ssm:GetParameter

Workflow Inputs:

Specify which user this attack should run as.


Clean Up:


Execution Instructions

  • See User Guide for Execution Instructions via the Google Cloud Console
  • Programmatically execute this workflow with the following cli command:
gcloud workflows run aws-delete-cloudtrail-trail `--data={"user": "user01"}` 

Detection Artifacts

Identify principals retrieving a high number of SSM Parameters, through the AWS GetParameter event.

Refer to Stratus Red Team documentation for additional detailed detection artifacts produced by this attack technique.