Credentials from Password Stores: Cloud Secrets Management Stores

Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.

Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.

If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged Cloud Accounts or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure.[1][2][3][4][5]

Note: this technique is distinct from Cloud Instance Metadata API in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.

ID: T1555.006
Sub-technique of:  T1555
Platforms: IaaS
Contributors: Martin McCloskey, Datadog
Version: 1.0
Created: 25 September 2023
Last Modified: 30 September 2023

Procedure Examples

ID Name Description
S1091 Pacu

Pacu can retrieve secrets from the AWS Secrets Manager via the enum_secrets module.[6]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.

Detection

ID Data Source Data Component Detects
DS0025 Cloud Service Cloud Service Enumeration

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from the secrets manager, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

References