AWS System Manager encrypted parameter retrieved
Description
AlphaSOC detected the retrieval of an encrypted parameter from AWS Systems
Manager using GetParameters
or GetParameter
actions. This activity involves
accessing sensitive information stored securely in AWS. This could indicate an
attempt to steal credentials, secrets, or other confidential data stored in the
AWS Systems Manager Parameter Store.
Impact
Unauthorized access to AWS Systems Manager Parameter Store can lead to the compromise of sensitive information. This could result in data breaches, unauthorized access to other AWS services, or potential lateral movement within the AWS environment.
Severity
Severity | Condition |
---|---|
Informational | AWS System Manager encrypted parameter retrieved |
Low | AWS System Manager encrypted parameter retrieved unexpectedly |
Investigation and Remediation
Review AWS CloudTrail logs to identify the AWS IAM user or role responsible for the API calls. Verify whether the changes were authorized and part of a business process. If unauthorized, rotate all potentially compromised credentials and secrets, and conduct a thorough security assessment of the affected systems.