Suspicious AWS API calls indicating Secrets Manager discovery
Description
AlphaSOC detected discovery activity against AWS Secrets Manager. This behavior involves listing available secrets, accessing metadata, and probing access permissions. Threat actors often conduct such reconnaissance to identify valuable targets, including API keys, database credentials, and other sensitive information, before attempting unauthorized access or exfiltration. Actions initiated by AWS services and known security tools are exempt from this detection to reduce false positives.
Impact
Successful secrets discovery enables adversaries to obtain critical credentials, API keys, database passwords, and other sensitive authentication material used by applications and services. This access facilitates lateral movement within the environment, privilege escalation, and unauthorized access to protected resources and data.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the source and scope of Secrets Manager API calls, including the specific secrets accessed and the methods used. Analyze the timing, frequency, and patterns of discovery attempts to determine if they align with legitimate business activities. Verify that all access originates from authorized users, applications, or services. If unauthorized access is confirmed, immediately rotate all potentially compromised secrets and review associated access policies and permissions. Implement enhanced monitoring for Secrets Manager activities and strengthen access controls using least-privilege principles and resource-based policies.