Unfamiliar IAM user retrieved secret from AWS Secrets Manager

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a previously unseen IAM user retrieves secrets from AWS Secrets Manager.

Strategy

This rule lets you monitor the GetSecretValue CloudTrail API calls to detect when a secret is retrieved. It does this by inspecting the IAM users accessing secrets within your AWS account over a 7-day window. Newly detected users after this 7-day window will generate security signals.

Triage and response

  1. Determine whether the IAM user: {{@userIdentity.arn}} is expected to access the Secrets Manager and the secrets within @requestParameters.secretId.
  2. If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the action shouldn’t have happened:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
    • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
    • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.
PREVIEWING: piotr_wolski/update-dsm-docs