Category: SECRETS
Secrets Manager stores and rotates credentials, API keys, and other secrets. Over-permissive policies and exposed secret ARNs are primary attack vectors.
| Risk Level | Scope | Encrypted | Lambda |
|---|---|---|---|
| CRITICAL | Regional | KMS | Rotation |
Secrets are encrypted with KMS and can have resource-based policies. IAM policies control who can retrieve secret values. Secret ARNs exposed in Lambda env vars are a common issue.
Attack note: Compromised Lambda roles with GetSecretValue permission grant access to all referenced secrets.
Rotation Lambda functions update secrets automatically. These functions have access to both old and new credential values during rotation.
Attack note: Backdoored rotation Lambda can exfiltrate every new credential on rotation.
██████████ 9.5/10 (CRITICAL)
Secrets Manager contains the keys to the kingdom. Database passwords, API keys, and OAuth tokens enable access to all connected systems and data.
- Over-permissive IAM policies
- Lambda env vars expose ARNs
- CloudFormation outputs leak
- Cross-account access misconfigured
- Resource policy allows Principal: *
- Backdoor rotation Lambda
- Intercept during rotation
- Modify rotation function
- Disable rotation
- Access previous versions
- Resource policy Principal: *
- No VPC endpoint restriction
- Wildcard secret permissions
- No condition keys used
- Using AWS managed KMS key
- Rotation not enabled
- Long rotation periods
- No resource tags for ABAC
- Secret in multiple regions
- No audit logging
List All Secrets
aws secretsmanager list-secretsDescribe Secret
aws secretsmanager describe-secret \\
--secret-id NAMEGet Resource Policy
aws secretsmanager get-resource-policy \\
--secret-id NAMEList Versions
aws secretsmanager list-secret-version-ids \\
--secret-id NAMEFind by Tag
aws secretsmanager list-secrets \\
--filters Key=tag-key,Values=Environment- GetSecretValue current version
- GetSecretValue previous versions
- Batch get multiple secrets
- Access via Lambda execution
- Cross-account retrieval
- Modify secret to known value
- Intercept rotation Lambda
- CloudTrail log analysis
- Memory dump of application
- Parameter Store fallback
Key insight: One GetSecretValue permission often grants access to database, API keys, and OAuth tokens.
- Add version with backdoor creds
- Modify existing secret value
- Create new secret with backdoor
- Cross-account replication
- Tag-based access persistence
- Modify rotation Lambda code
- Add exfil to rotation function
- Create custom rotation Lambda
- Disable then re-enable rotation
- Modify rotation schedule
- GetSecretValue
- PutSecretValue
- UpdateSecret
- DeleteSecret
- PutResourcePolicy
- Unusual GetSecretValue patterns
- Access from unexpected IPs
- Failed access attempts
- Policy modifications
- Rotation failures
Retrieve Secret Value
aws secretsmanager get-secret-value \\
--secret-id prod/database/adminGet Previous Version
aws secretsmanager get-secret-value \\
--secret-id NAME \\
--version-stage AWSPREVIOUSModify Secret Value
aws secretsmanager put-secret-value \\
--secret-id NAME \\
--secret-string '{"user":"admin","pass":"backdoor"}'Add Permissive Policy
aws secretsmanager put-resource-policy \\
--secret-id NAME \\
--resource-policy file://open-policy.jsonCreate Backdoor Secret
aws secretsmanager create-secret \\
--name prod/backdoor \\
--secret-string "attacker-creds"Disable Rotation
aws secretsmanager cancel-rotate-secret \\
--secret-id NAME{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}]
}Anyone can retrieve this secret - complete exposure
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/AppRole"},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {
"StringEquals": {"aws:SourceVpc": "vpc-12345"},
"ForAllValues:StringEquals": {
"secretsmanager:VersionStage": "AWSCURRENT"
}
}
}]
}Only specific role from VPC can access current version
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": "*"
}]
}Full access to all secrets in account
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["secretsmanager:GetSecretValue"],
"Resource": "arn:aws:secretsmanager:*:*:secret:prod/app/*",
"Condition": {
"StringEquals": {"aws:ResourceTag/team": "myteam"}
}
}]
}Read-only access to tagged secrets in specific path
Audit and control decryption access separately.
aws secretsmanager create-secret \\
--kms-key-id alias/my-key --name ...Rotate credentials regularly (30 days or less).
aws secretsmanager rotate-secret \\
--secret-id NAME \\
--rotation-rules AutomaticallyAfterDays=30Restrict secret access to within VPC only.
"Condition": {"StringEquals": \\
{"aws:SourceVpc": "vpc-xxx"}}Explicitly deny unauthorized principals.
aws secretsmanager put-resource-policy \\
--secret-id NAME --resource-policy ...Use ABAC for fine-grained access control.
"Condition": {"StringEquals": \\
{"aws:ResourceTag/Environment": "prod"}}Alert on GetSecretValue calls from unexpected sources.
CloudWatch Alarm: GetSecretValue count > thresholdAWS Secrets Manager Security Card
Always obtain proper authorization before testing