Secret Has Been Viewed by a Human Account
Eco-system support
-
AWS Secrets Manager
-
Azure Key Vault
-
GCP Secrets Manager
Description
Vault secrets should not be viewed by a human account because it increases the risk of unauthorized access, accidental disclosure, and potential misuse of the information. Automating the process of retrieving and using secrets, through the use of application programming interfaces (APIs) and service accounts, can help to ensure that the information is only accessed by authorized systems and processes. Additionally, having a human revealing your secrets could lead to the information being stored in an insecure location or shared with unauthorized parties.
Detection triggers
- Secret read event that is sourced from a browser or “AWS Internal” user-agent.
Mitigation
Review abnormal activity
First, review this activity by following these steps
-
Review the “activity” tab to check if the activity is re-occurring.
-
Investigate the actor’s identity, to find potential justification for interacting with a secret directly from the browser, and not from an authorized application.
-
Potential legitimate justification can be
-
Migration scenarios
-
Manual secret rotation
-
-
Otherwise, consider terminating the actor and rotating the affected secret.