From 6411d85ebf96d9205de65611b03e110bdbfef80f Mon Sep 17 00:00:00 2001
From: JaimePolop <jaimepolop@gmail.com>
Date: Wed, 1 Oct 2025 11:58:25 +0200
Subject: [PATCH] KMS DOS explanation

---
 .../aws-secrets-manager-post-exploitation.md                | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
index e59cbbaaa3..a34dd0426c 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
@@ -30,6 +30,12 @@ aws secretsmanager put-secret-value \
 
 ### DoS Change KMS key
 
+If the attacker has the secretsmanager:UpdateSecret permission, they can configure the secret to use a KMS key owned by the attacker. That key is initially set up in such a way that anyone can access and use it, so updating the secret with the new key is possible. If the key was not accessible, the secret could not be updated.
+
+After changing the key for the secret, the attacker modifies the configuration of their key so that only they can access it. This way, in the subsequent versions of the secret, it will be encrypted with the new key, and since there is no access to it, the ability to retrieve the secret would be lost.
+
+It is important to note that this inaccessibility will only occur in later versions, after the content of the secret changes, since the current version is still encrypted with the original KMS key.
+
 ```bash
 aws secretsmanager update-secret \
     --secret-id MyTestSecret \