From 03a213fcdd20153fcf1ad7e984e77d26880dbae8 Mon Sep 17 00:00:00 2001 From: JaimePolop Date: Thu, 2 Oct 2025 13:23:37 +0200 Subject: [PATCH 1/3] Secrets manager new attacks --- .../aws-secrets-manager-post-exploitation.md | 36 +++++++++++++++++++ .../aws-secrets-manager-privesc.md | 2 ++ 2 files changed, 38 insertions(+) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md index a34dd0426c..a40a891657 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md @@ -52,6 +52,42 @@ aws secretsmanager delete-secret \ --recovery-window-in-days 7 ``` +## secretsmanager:RestoreSecret + +It is possible to restore a secret, which allows the restoration of secrets that have been scheduled for deletion, since the minimum deletion period for secrets is 7 days and the maximum is 30 days. Together with the secretsmanager:GetSecretValue permission, this makes it possible to retrieve their contents. + +To recover a secret that is in the process of being deleted, you can use the following command: +```bash +aws secretsmanager restore-secret \ + --secret-id +``` + +## secretsmanager:DeleteResourcePolicy, DoS + +This action allows deleting the resource policy that controls who can access a secret. This could lead to a DoS if the resource policy was configured to allow access to a specific set of users. + +To delete the resource policy: +```bash +aws secretsmanager delete-resource-policy \ + --secret-id +``` + +## secretsmanager:UpdateSecretVersionStage, DoS + +The states of a secret are used to manage versions of a secret. AWSCURRENT marks the active version that applications use, AWSPREVIOUS keeps the previous version so that you can roll back if necessary, and AWSPENDING is used in the rotation process to prepare and validate a new version before making it the current one. + +Applications always read the version with AWSCURRENT. If someone moves that label to the wrong version, the apps will use invalid credentials and may fail. + +AWSPREVIOUS is not used automatically. However, if AWSCURRENT is removed or reassigned incorrectly, it may appear that everything is still running with the previous version. + +```bash +aws secretsmanager update-secret-version-stage \ + --secret-id \ + --version-stage AWSCURRENT \ + --move-to-version-id \ + --remove-from-version-id +``` + {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md index 3d1170ccf3..3230790644 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md @@ -18,6 +18,8 @@ An attacker with this permission can get the **saved value inside a secret** in aws secretsmanager get-secret-value --secret-id # Get value ``` +`secretsmanager:BatchGetSecretValue` needs also `secretsmanager:GetSecretValue` to retrieve the secrets. + **Potential Impact:** Access high sensitive data inside AWS secrets manager service. ### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`) From e188809f706fb6b3f6cd408287213e499f5b2274 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sat, 4 Oct 2025 11:02:17 +0200 Subject: [PATCH 2/3] Update aws-secrets-manager-post-exploitation.md --- .../aws-secrets-manager-post-exploitation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md index a40a891657..2db024cce6 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md @@ -62,7 +62,7 @@ aws secretsmanager restore-secret \ --secret-id ``` -## secretsmanager:DeleteResourcePolicy, DoS +## secretsmanager:DeleteResourcePolicy This action allows deleting the resource policy that controls who can access a secret. This could lead to a DoS if the resource policy was configured to allow access to a specific set of users. @@ -72,7 +72,7 @@ aws secretsmanager delete-resource-policy \ --secret-id ``` -## secretsmanager:UpdateSecretVersionStage, DoS +## secretsmanager:UpdateSecretVersionStage The states of a secret are used to manage versions of a secret. AWSCURRENT marks the active version that applications use, AWSPREVIOUS keeps the previous version so that you can roll back if necessary, and AWSPENDING is used in the rotation process to prepare and validate a new version before making it the current one. From 9508f50485736d321eb50e2baf53a1fbc30b2df7 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sat, 4 Oct 2025 11:03:30 +0200 Subject: [PATCH 3/3] Update aws-secrets-manager-privesc.md --- .../aws-privilege-escalation/aws-secrets-manager-privesc.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md index 3230790644..c970c8876d 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md @@ -18,10 +18,11 @@ An attacker with this permission can get the **saved value inside a secret** in aws secretsmanager get-secret-value --secret-id # Get value ``` -`secretsmanager:BatchGetSecretValue` needs also `secretsmanager:GetSecretValue` to retrieve the secrets. - **Potential Impact:** Access high sensitive data inside AWS secrets manager service. +> [!WARNING] +> Note that even with the `secretsmanager:BatchGetSecretValue` permission an atatcker would also need `secretsmanager:GetSecretValue` to retrieve the sensitive secrets. + ### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`) With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)).