Skip to content

Failed "Read Access" Attempts to Multiple Secrets

Description

Same identity trying to fetch three or more secrets with “AccessDenied” in errorCode. Fetch all logs with "GetSecretValue" eventName, then group by username. If there are more than three unique errorMessages for the same username, then trigger this risk for the same actor. Show all secrets by parsing the arn.

Risk triggers

  • Attempts to use GetSecretValue by the same identity without proper permissions, targeting a minimum of three distinct secrets.

Mitigation

Review abnormal activity

Failing attempts to read or modify multiple secrets is considered an anomaly. First, review this activity by following these steps

  • Review the "activity" tab to check if the activity is re-occurring.

  • Investigate the actor identity responsible for the fetching workload, to understand if it's legitimate and expected.

Add necessary privileges if justified

  • If legitimate, consider applying the necessary privileges to make sure your applications are working properly.

  • Otherwise, consider terminating the actor and investigating the additional activity.