Secrets Manager / Parameter Store Theft

Required Permissions

Description

AWS Secrets Manager and SSM Parameter Store are the recommended locations for storing sensitive configuration — but they are also prime targets for credential chaining. An attacker with read access to these services can harvest credentials that unlock access to databases, third-party APIs, and other AWS accounts.

The attack flow:

1. **Enumerate secrets** — List all secrets with secretsmanager:ListSecrets or SSM parameters with ssm:DescribeParameters 2. **Read secret values** — Retrieve plaintext values with secretsmanager:GetSecretValue or ssm:GetParameter (with --with-decryption for SecureString parameters) 3. **Chain credentials** — Use discovered database passwords, API keys, or AWS access keys to pivot to new resources

Common high-value targets in these stores:

- Database credentials (RDS, DynamoDB, ElastiCache) - Third-party API keys (Stripe, Twilio, SendGrid) - AWS access keys for service accounts - OAuth tokens and refresh tokens - TLS certificates and private keys - Connection strings with embedded credentials

Lambda environment variables are another common source — they are readable with lambda:GetFunction and often contain the same secrets that should be in Secrets Manager.

Impact

Access to database credentials, API keys, and service account tokens. Enables credential chaining to reach databases, third-party services, and other AWS accounts.

Detection

Monitor for bulk ListSecrets or DescribeParameters calls. Alert on GetSecretValue or GetParameter calls from unexpected principals. Track Lambda GetFunction calls that expose environment variables.

Mitigation

Scope Secrets Manager and SSM Parameter Store permissions to specific secret ARNs. Use KMS customer-managed keys with key policies restricting decryption. Enable resource policies on secrets. Move Lambda environment variable secrets to Secrets Manager with least-privilege access.

Related Techniques