Skip to content

Secret Has Been Viewed by a Human Account

Eco-system support

  • AWS Secrets Manager

  • Azure Key Vault

  • GCP Secrets Manager

Description

Vault secrets should not be viewed by a human account because it increases the risk of unauthorized access, accidental disclosure, and potential misuse of the information. Automating the process of retrieving and using secrets, through the use of application programming interfaces (APIs) and service accounts, can help to ensure that the information is only accessed by authorized systems and processes. Additionally, having a human revealing your secrets could lead to the information being stored in an insecure location or shared with unauthorized parties.

Detection triggers

  • Secret read event that is sourced from a browser or “AWS Internal” user-agent.

Mitigation

Review abnormal activity

First, review this activity by following these steps

  • Review the “activity” tab to check if the activity is re-occurring.

  • Investigate the actor’s identity, to find potential justification for interacting with a secret directly from the browser, and not from an authorized application.

  • Potential legitimate justification can be

    • Migration scenarios

    • Manual secret rotation

  • Otherwise, consider terminating the actor and rotating the affected secret.