Skip to main content

AWS System Manager encrypted parameter retrieved unexpectedly

ID:aws_ssm_decrypt_parameter_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0006:T1555.006

Description

AlphaSOC detected the retrieval of an encrypted parameter from AWS Systems Manager using GetParameters or GetParameter actions. This activity involves accessing sensitive information stored securely in AWS. This could indicate an attempt to steal credentials, secrets, or other confidential data stored in the AWS Systems Manager Parameter Store.

Impact

Unauthorized access to AWS Systems Manager Parameter Store can lead to the compromise of sensitive information. This could result in data breaches, unauthorized access to other AWS services, or potential lateral movement within the AWS environment.

Severity

SeverityCondition
Informational
AWS System Manager encrypted parameter retrieved
Low
AWS System Manager encrypted parameter retrieved unexpectedly

Investigation and Remediation

Review AWS CloudTrail logs to identify the AWS IAM user or role responsible for the API calls. Verify whether the changes were authorized and part of a business process. If unauthorized, rotate all potentially compromised credentials and secrets, and conduct a thorough security assessment of the affected systems.