Secrets Manager
About Secrets Manager¶
Secrets Manager is an AWS service that lets you encrypt and store secrets that you can then use for all kinds of purposes, including for your applications, APIs, Lambda functions, etc…You can use it to store login credentials, API keys, or really any secret value you need to use but don’t want to hardcode since you’re trying to follow security best practices.
It encrypts data as you store it using KMS, then decrypts it when you retrieve it. It also supports automatically and periodically rotating your secrets without breaking your apps, and it enables you to control exactly who or what can access your secrets.
All that to say: Secrets Manager is a juicy target for threat actors because if they are able to gain access, they will have access to important secrets stored in your account.
AWS Secrets Manager Enumeration CLI commands¶
Retrieves general and specific Secrets Manager information including listing secrets, retrieving resource-policy permissions, and retrieving stored secrets . These are meant to be non-destructive enumeration commands. They only retrieve information. They do not modify resources. However, keep in mind these actions will still get logged and potentially trigger alerts if the AWS account has monitoring & logging enabled. Official AWS Documentation
List-secrets¶
Retrieves a list of secrets stored in Secrets Manager in that AWS account
Does not include secrets marked for deletion unless you use optional [--include-planned-deletion]
To issue this command, you must have secretsmanager:ListSecrets
access
List-secret-version-ids¶
Lists the versions for a specific secret
To issue this command, you must have secretsmanager:ListSecretVersionIds
access
Get-resource-policy¶
Secrets in Secrets Manager can have resource-based permissions policies attached (this is optional but a recommended security practice). This command retrieves it for a particular secret.
To issue this command, you must have secretsmanager:GetResourcePolicies
access
Describe-secret¶
Gets the details for a secret, but doesn't include the secret value
It does provide the Arn, Name, Description, KmsKeyId, whether rotation is enabled, and more
To issue this command, you must have secretsmanager:DescribeSecret
access
Get-secret-value¶
This retrieves the secret value as either SecretString or SecretBinary
If you don't specify the optional [--version-id], it will grab the current version
To issue this command, you must have secretsmanager:GetSecretValue
access