Data Source: AWS Secrets Manager | Detection.FYI

First Time Seen AWS Secret Value Accessed in Secrets Manager

Aug 25, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Secrets Manager Tactic: Credential Access Resources: Investigation Guide ·
Share on:

An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a secret value from Secrets Manager using the GetSecretValue or BatchGetSecretValue actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager.

Read More
Rapid Secret Retrieval Attempts from AWS SecretsManager

Feb 3, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Secrets Manager Tactic: Credential Access Resources: Investigation Guide ·
Share on:

This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the GetSecretValue or BatchGetSecretValue API actions.

Read More