This alert triggers when a resource-based permission policy is attached to a secret and the resource policy is applied to all the resources and for all the secrets manager actions. For information about permissions, see the below link: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html Impact If not configured correctly, resource-based permission policies may grant unintended or excessive permissions to AWS resources or IAM principals, leading to unauthorized access or misuse of the secret. Mitigation Review and test permission policies to ensure they align with security requirements and access control principles. If the policy was not attached by a legitimate user or if its purpose is unknown, revert the action and investigate further for any malicious activities. MITRE Tactic: TA0004 MITRE Technique: T1098

This alert triggers whenever a previously unseen IAM user lists secrets from AWS Secrets Manager. Please note that this alert inspects the IAM users listing secrets within your AWS account over a 7-day window. An alert will be triggered for newly detected users after this 7-day window. If the behavior is intended for a user, please whitelist the user in the alert query. Also, you can increase this 7-day window to 1 or 2 months as per your requirements. Impact A new user listing secrets from the AWS secrets manager could indicate suspicious/malicious activity. Mitigation Determine whether this action is legitimate and that the user performing this action is aware of it. If not, investigate further for any malicious activities in your AWS account. MITRE Tactic: TA0006 MITRE Technique: T1555

This alert triggers when the automatic rotation of secrets is turned off. The corresponding event also cancels the rotation if a rotation is currently in progress. Impact A threat actor can turn off automatic secrets rotation to maintain persistence in your AWS account. Mitigation Verify if this action is legitimate or not. If not, check for any other related suspicious actions and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert triggers whenever a previously unseen IAM user retrieves secrets from AWS Secrets Manager. Please note that this alert inspects the IAM users accessing secrets within your AWS account over a 7-day window. An alert will be triggered for newly detected users after this 7-day window. If the behavior is intended for a user, please whitelist the user in the alert query. Also, you can increase this 7-day window to 1 or 2 months as per your requirements. Impact A new user accessing secrets from the AWS secrets manager could indicate suspicious/malicious activity. Mitigation Determine whether the IAM user is expected to access the Secrets Manager and the secrets. If not, investigate further for any malicious activities in your AWS account. MITRE Tactic: TA0006 MITRE Technique: T1555

This alert triggers when the deletion of a secret is attempted. Secrets Manager does not immediately delete secrets. Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of seven days. Until the recovery window ends, you can recover a secret you previously deleted. There is no charge for secrets that you have marked for deletion. Impact Deleting a secret may disrupt applications, services, or workflows that rely on those credentials for authentication or access to AWS resources. If applications are not updated to use alternative credentials or fallback mechanisms, they may experience downtime or operational issues. Mitigation Verify that the deletion action was authorized. If not, investigate further. MITRE Tactic: TA0006 MITRE Technique:T1528

This alert triggers when multiple "AccessDenied" error code is seen in the logs in a specific interval of time. Please note that, for this alert, the threshold value is set to 20 failed attempts in a 5-minute time interval. You can fine-tune this threshold value as per your requirements. You can also, fine-tune this alert for specific users or IP addresses to reduce the noise. Impact Multiple failed access attempts could indicate that an unauthorized user is attempting to perform an action. Mitigation Verify if the multiple error codes are due to some automated process. If not, investigate further. MITRE Tactic: TA0001 MITRE Technique: T1110

This alert triggers whenever a secret is updated. This event modifies the details of a secret, including metadata and the secret value. Impact Modifying AWS secrets may temporarily disrupt access to AWS resources or applications that rely on those credentials. If applications are not designed to handle credential rotation gracefully, they may experience downtime or errors during the transition period. Mitigation Verify if the updating secret was an authorized action. If not, investigate further for any malicious activities. MITRE Tactic: TA0005 MITRE Technique: T1098