Secret Revealed by Human Actor
Description
Vault secrets should not be viewed by a human account because it increases the risk of unauthorized access, accidental disclosure, and potential misuse of the information. Automating the process of retrieving and using secrets, through the use of application programming interfaces (APIs) and service accounts, can help to ensure that the information is only accessed by authorized systems and processes. Additionally, having a human revealing your secrets could lead to the information being stored in an insecure location or shared with unauthorized parties.

Detection triggers
- Secret read event that is sourced from a browser or “AWS Internal” user-agent.
Mitigation
Review abnormal activity
-
Review the “Activity” tab to check if the activity is re-occurring.
-
Investigate the actor’s identity, to find potential justification for interacting with a secret directly from the browser, and not from an authorized application.
-
Potential legitimate justification can be
-
Migration scenarios
-
Manual secret rotation
-
-
Otherwise, consider terminating the actor and rotating the affected secret.
-

JSON Example
Risk JSON
account: {environment: "qa", environmentType: "QA"}
accountId: "116849364939"
accountType: "AWS"
category: "ABNORMAL_BEHAVIOR"
correlationGuid: "NTR-128083"
creationDate: "2024-07-30T18:25:24.527Z"
customData: null
customerId: 34
data: {conditions: {idle: false, prod: false, neverseen: false, notRotated: false,…},…}
description: "To reduce the risk of unauthorized access, accidental disclosure, and potential misuse of information, it's important to avoid human accounts from viewing Vault secrets."
destination: "RDS_PATH"
guid: "RSK-6117"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 18048
isArchived: false
key: "HUMAN_CUSTOM-SEC-1499-jakep"
linkedElements: ["SEC-1499"]
logChangeType: null
modifyDate: "2024-09-23T09:29:30.479Z"
name: "Secret fetched by human "
occurrences: ["AWS_SECRETS_MANAGER"]
owner: "jakep"
ownerAiObject: {similarity: 1, ownerItemType: "username", elementItemType: "username",…}
ownerUid: "c16f7cee-c366-4b28-8af9-e9a416222d7d"
path: "ca-central-1/custom/caqa/liminal/saas/liminal-saas-rds"
ruleCode: "HUMAN_CUSTOM"
scanId: 1725568
severity: "LOW"
source: "AWS"
status: "OPEN"
tags: ["Abnormal Behavior", "Insider Threat"]
tasks: [{customerId: 34, riskId: 18048, type: "REVIEW_ACTIVITY", level: "HARD",…}]
type: "USER_PRIVILEGES"
Linked Element (Vaulted Secret) JSON
accessorsPolicies: {,…}
account: {environment: "qa", environmentType: "QA", accountType: "AWS", id: "116849364939"}
accountId: "116849364939"
accountType: "AWS"
azureSecretType: null
correlationGuid: "NTR-128083"
creatorsPolicies: {,…}
customerId: 34
devices: [{role: "AWSCloudFormation", region: "ca-central-1", ipAddress: "cloudformation.amazonaws.com",…},…]
errors: []
guid: "SEC-1499"
isActive: true
isArchived: false
isIdle: false
lastAccsesTime: "1800-01-01T00:00:00.000Z"
liminalCreationDate: "2024-07-07T15:45:32.969Z"
liminalModifyDate: "2024-10-29T08:51:39.270Z"
modifiersPolicies: {,…}
origin: "RDS_PATH"
owner: "AWSCloudFormation"
ownerAiObject: {similarity: 1, ownerItemType: "username", elementItemType: "username",…}
ownerUid: "c16f7cee-c366-4b28-8af9-e9a416222d7d"
riskSeverity: "LOW"
scanId: 2938869
secretArn: "arn:aws:secretsmanager:ca-central-1:116849364939:secret:custom/caqa/liminal/saas/liminal-saas-rds-Hqsesj"
secretCreationDate: "2024-07-07T15:19:56.782Z"
secretCreatorJSON: "{\"username\":\"AWSCloudFormation\",\"userArn\":\"arn:aws:sts::116849364939:assumed-role/cdk-hnb659fds-cfn-exec-role-116849364939-ca-central-1/AWSCloudFormation\",\"sourceIP\":\"cloudformation.amazonaws.com\",\"accessTime\":\"2024-07-07T15:19:56.000Z\",\"userAgent\":\"cloudformation.amazonaws.com\",\"eventName\":\"CreateSecret\"}"
secretLastAccessorJSON: "{\"username\":\"jakep\",\"userArn\":\"arn:aws:i
secretLastModifierJSON: "{\"username\":\"AWSCloudFormation\",\"userArn\":\"arn:aws:sts::116849364939:assumed-role/cdk-hnb659fds-cfn-exec-role-116849364939-ca-central-1/AWSCloudFormation\",\"sourceIP\":\"cloudformation.amazonaws.com\",\"accessTime\":\"2024-07-07T15:21:36.000Z\",\"userAgent\":\"cloudformation.amazonaws.com\",\"eventName\":\"PutSecretValue\",\"trails\":[{\"uid\":\"2fa50ac7-1271-4c34-be5c-dc958fc3c422\",\"customerId\":34,\"accountId\":\"116849364939\",\"accountType\":\"AWS\",\"region\":\"ca-central-1\",\"eventId\":\"3de99e94-4109-4f8e-9241-9edd3528e1dd\",\"eventTime\":\"2024-07-07T15:21:36.000Z\",\"eventName\":\"PutSecretValue\",\"sourceIPAddress\":\"cloudformation.amazonaws.com\",\"userAgent\":\"cloudformation.amazonaws.com\",\"userIdentityArn\":\"arn:aws:sts::116849364939:assumed-role/cdk-hnb659fds-cfn-exec-role-116849364939-ca-central-1/AWSCloudFormation\",\"username\":\"AWSCloudFormation\",\"versionId\":null,\"secretId\":\"arn:aws:secretsmanager:ca-central-1:116849364939:secret:custom/caqa/liminal/saas/liminal-saas-rds-Hqsesj\",\"accessKeyId\":\"ASIARWNGDZ7FQECVG3DR\",\"errorCode\":null,\"errorMessage\":null,\"sessionCredentialFromConsole\":null,\"additionalData\":null,\"eventSource\":\"secretsmanager.amazonaws.com\",\"resources\":[{\"ResourceName\":\"arn:aws:secretsmanager:ca-central-1:116849364939:secret:custom/caqa/liminal/saas/liminal-saas-rds-Hqsesj\",\"ResourceType\":\"AWS::SecretsManager::Secret\"}],\"functionArn\":null,\"principalId\":\"AROARWNGDZ7F6VZQH5QFJ:AWSCloudFormation\",\"ec2RoleDelivery\":null,\"scanId\":552232}]}"
secretModifiedDate: "2024-07-07T15:21:36.930Z"
secretName: "custom/caqa/liminal/saas/liminal-saas-rds"
secretObject: {KeyPairs: [,…], RegexMatch: [],…}
secretRotationDate: "2024-07-07T15:19:56.810Z"
secretStore: "ca-central-1"
secretTotalAccess: 1
secretTotalAccessors: 1
secretTotalIp: 1
secretTotalUserAgent: 1
secretVersion: "73a2747a-95dd-48dd-9bee-438c7d7d2b57"
state: null
tags: {tags: []}
uid: "2ba746e3-9099-4cc2-ba2c-76ef71b43592"
vaultName: "ca-central-1"
vaultPermissions: {}
versionCount: 2