Unfamiliar IAM user retrieved secret from AWS Secrets Manager

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a previously unseen IAM user retrieves secrets from AWS Secrets Manager.

Strategy

This rule lets you monitor the GetSecretValue CloudTrail API calls to detect when a secret is retrieved. It does this by inspecting the IAM users accessing secrets within your AWS account over a 7-day window. Newly detected users after this 7-day window will generate security signals.

Triage and response

  1. Determine whether the IAM user: {{@userIdentity.arn}} is expected to access the Secrets Manager and the secrets within @requestParameters.secretId.
  2. If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the action shouldn’t have happened:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
    • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
    • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.
PREVIEWING: rtrieu/product-analytics-ui-changes