AWS Secrets Manager access from CloudShell session
Description
AlphaSOC detected access to AWS Secrets Manager through AWS CloudShell. This activity involves retrieving sensitive credentials or secrets from within an ephemeral, browser-based command-line environment. This behavior may indicate unauthorized exploration, credential harvesting, or attempts to access secrets outside of normal application workflows without leaving traces on persistent infrastructure.
Impact
Accessing secrets through CloudShell can enable credential theft, unauthorized system access, and potential data breaches. The ephemeral nature of CloudShell sessions makes these activities challenging to audit and investigate, potentially allowing adversaries to operate with reduced detection visibility and forensic evidence.
Severity
| Severity | Condition |
|---|---|
Medium | AWS Secrets Manager key accessed using CloudShell |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user account and timing of Secrets Manager access through CloudShell. Verify which specific secrets were accessed and determine if the activity aligns with authorized business requirements. If unauthorized access is confirmed, rotate all affected secrets and review associated access policies. Implement stricter IAM policies to control CloudShell and Secrets Manager access based on least-privilege principles.