gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Secrets manager new attacks

Browse Source
This commit is contained in:
JaimePolop
2025-10-02 13:23:37 +02:00
parent 3da7552a83
commit 03a213fcdd
2 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
View File

@@ -52,6 +52,42 @@ aws secretsmanager delete-secret \
--recovery-window-in-days 7
```
## secretsmanager:RestoreSecret
It is possible to restore a secret, which allows the restoration of secrets that have been scheduled for deletion, since the minimum deletion period for secrets is 7 days and the maximum is 30 days. Together with the secretsmanager:GetSecretValue permission, this makes it possible to retrieve their contents.
To recover a secret that is in the process of being deleted, you can use the following command:
```bash
aws secretsmanager restore-secret \
--secret-id <Secret_Name>
```
## secretsmanager:DeleteResourcePolicy, DoS
This action allows deleting the resource policy that controls who can access a secret. This could lead to a DoS if the resource policy was configured to allow access to a specific set of users.
To delete the resource policy:
```bash
aws secretsmanager delete-resource-policy \
--secret-id <Secret_Name>
```
## secretsmanager:UpdateSecretVersionStage, DoS
The states of a secret are used to manage versions of a secret. AWSCURRENT marks the active version that applications use, AWSPREVIOUS keeps the previous version so that you can roll back if necessary, and AWSPENDING is used in the rotation process to prepare and validate a new version before making it the current one.
Applications always read the version with AWSCURRENT. If someone moves that label to the wrong version, the apps will use invalid credentials and may fail.
AWSPREVIOUS is not used automatically. However, if AWSCURRENT is removed or reassigned incorrectly, it may appear that everything is still running with the previous version.
```bash
aws secretsmanager update-secret-version-stage \
--secret-id <your-secret-name-or-arn> \
--version-stage AWSCURRENT \
--move-to-version-id <target-version-id> \
--remove-from-version-id <previous-version-id>
```
{{#include ../../../banners/hacktricks-training.md}}

2
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
View File

@@ -18,6 +18,8 @@ An attacker with this permission can get the **saved value inside a secret** in
aws secretsmanager get-secret-value --secret-id <secret_name> # Get value
```
`secretsmanager:BatchGetSecretValue` needs also `secretsmanager:GetSecretValue` to retrieve the secrets.
**Potential Impact:** Access high sensitive data inside AWS secrets manager service.
### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`)