Production Secret Is Fetched by Script
Description
Retrieving production secrets from CLI exposes a considerable attack surface and poses a significant security threat. This practice may potentially result in a breach, data exposure, and compliance complications.

Detection triggers
- Secret read event, targeting a secret in a production environment, using a CLI tool user-agent, such as “AWS-CLI” or “AWS Powershell”.
Mitigation
Review abnormal activity
The usage of CLI in a production environment is considered an anomaly.
Review this activity by following these steps
-
Review the “activity” tab with the CLI actor filter to check if the activity is re-occurring.
-
Investigate the actor identity responsible for the fetching workload, to understand if it is legitimate and expected.
-
If legitimate, move this risk status to ‘approved’.
-
Otherwise, consider rotating the secret and investigating the actors.
-
JSON Example
Risk JSON
account: {environment: "Guaca", environmentType: "DEMO"}
accountId: "674845834778"
accountType: "AWS"
category: "ABNORMAL_BEHAVIOR"
correlationGuid: "NTR-235230"
creationDate: "2024-01-18T00:11:07.349Z"
customData: null
customerId: 1
data: {awsLogs: [,…], evidenceLogs: [,…]}
description: "Retrieving production secrets from CLI exposes a considerable attack surface and poses a significant security threat. This practice may potentially result in a breach, data exposure, and compliance complications."
destination: "DATA_DOG_PATH"
guid: "RSK-29064"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 397834
isArchived: false
key: "BLAST-SEC-53693"
linkedElements: ["SEC-53693"]
logChangeType: null
modifyDate: "2024-05-30T00:10:52.925Z"
name: "Production secret is fetched by a Script"
occurrences: ["AWS_SECRETS_MANAGER"]
owner: "DemoAccount_Anna"
ownerAiObject: null
ownerUid: null
path: "us-east-2/prod/datadog_demo1"
ruleCode: "FETCH_CLI"
scanId: 15073660
severity: "LOW"
source: "AWS"
status: "OPEN"
tags: ["Insider Threat", "Programmatic", "App", "Travis-1"]
tasks: [{customerId: 1, riskId: 397834, type: "REVIEW_ACTIVITY", level: "HARD",…}]
type: "BLAST"
Linked Element (Vaulted Secret) JSON
accessorsPolicies: {}
account: {environment: "Guaca", environmentType: "DEMO", accountType: "AWS", id: "674845834778"}
accountId: "674845834778"
accountType: "AWS"
azureSecretType: null
correlationGuid: "NTR-235230"
creatorsPolicies: {roles: [{data: {,…},…}, {,…},…], users: [{,…}, {,…},…],…}
customerId: 1
devices: [{role: "AdminUser", region: "us-east-2", ipAddress: "44.209.31.155",…},…]
errors: ["UNCLASSIFIED"]
guid: "SEC-53693"
isActive: true
isArchived: false
isIdle: false
lastAccsesTime: "2024-10-01T11:47:48.000Z"
liminalCreationDate: "2024-01-07T15:46:53.657Z"
liminalModifyDate: "2024-10-02T18:04:43.287Z"
modifiersPolicies: {}
origin: "DATA_DOG_PATH"
owner: "Adminolog"
ownerAiObject: {similarity: 0.9111111111111111, ownerItemType: "email", elementItemType: "username",…}
ownerUid: "6a6bd5de-593c-4e21-9ae4-7a6a0ba125a3"
riskSeverity: "HIGH"
scanId: 32148360
secretArn: "arn:aws:secretsmanager:us-east-2:674845834778:secret:prod/datadog_demo1-LOp6sI"
secretCreationDate: "2023-03-15T09:19:41.679Z"
secretCreatorJSON: "null"
secretLastAccessorJSON: "{\"username\":\"Adminolog\",\"userArn\":\"arn:aws
secretLastModifierJSON: "null"
secretModifiedDate: "2023-03-15T09:19:41.877Z"
secretName: "prod/datadog_demo1"
secretObject: {}
secretRotationDate: "2023-03-15T09:19:41.679Z"
secretStore: "us-east-2"
secretTotalAccess: 11747
secretTotalAccessors: 5
secretTotalIp: 12
secretTotalUserAgent: 40
secretVersion: "67d55f6e-fb90-44e6-83c6-7a31de6caf61"
state: null
tags: {tags: ["Programmatic", "App"]}
uid: "72b3b04a-c9a5-419a-82c2-ead077fd3676"
vaultName: "us-east-2"
vaultPermissions: {}
versionCount: 1