User enumerated AWS Secrets Manager - Anomaly
Goal
Detect when a user is attempting to retrieve a high number of secrets while also receiving an error message of AccessDenied
, through Cloudtrail’s GetSecretValue
event.
Strategy
This rule sets a baseline for user activity in the GetSecretValue
event, and enables the detection of potentially anomalous activity when a user receives an anomalous number of AccessDenied
messages while attempting to retrieve secrets.
An attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.
Triage and response
- Investigate API activity for
{{@userIdentity.session_name}}
to determine if the specific set of API calls are malicious.- Use the investigation queries on the suggested actions panel.
- Review any other security signals for
{{@userIdentity.session_name}}
. - If the activity is deemed malicious:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Rotate any AWS secrets that were accessed by the user with the
aws-cli
command update-secret
or use the AWS Console. - Begin your organization’s incident response process and investigate.
- If the activity is benign:
- Use the linked blog post in the suggested actions panel to tune out noise.
Changelog
25 October 2022 - Updated query.