Detection of suspicious access to cloud-native secret management systems (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault). Focuses on abnormal secret retrieval activity, such as secrets being accessed by unusual identities, from unexpected regions, outside business hours, or at high volume. Correlates API calls to secret retrieval with surrounding authentication events, role assumptions, and anomalous execution patterns.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | AWS:CloudTrail | GetSecretValue |
| Field | Description |
|---|---|
| PrivilegedRoles | Set of accounts or roles allowed to retrieve secrets; deviations may indicate misuse. |
| TimeWindow | Temporal window to correlate secret access with authentication and anomalous context. |
| AccessPatterns | Expected frequency and volume of secret retrievals per user/service; anomalies may indicate exfiltration. |
| RegionConstraints | Regions in which secret access is expected; access from unusual geographies may indicate compromise. |