From 9508f50485736d321eb50e2baf53a1fbc30b2df7 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Sat, 4 Oct 2025 11:03:30 +0200
Subject: [PATCH] Update aws-secrets-manager-privesc.md

---
 .../aws-privilege-escalation/aws-secrets-manager-privesc.md  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
index 323079064..c970c8876 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
@@ -18,10 +18,11 @@ An attacker with this permission can get the **saved value inside a secret** in
 aws secretsmanager get-secret-value --secret-id <secret_name> # Get value
 ```
 
-`secretsmanager:BatchGetSecretValue` needs also `secretsmanager:GetSecretValue` to retrieve the secrets.
-
 **Potential Impact:** Access high sensitive data inside AWS secrets manager service.
 
+> [!WARNING]
+> Note that even with the `secretsmanager:BatchGetSecretValue` permission an atatcker would also need `secretsmanager:GetSecretValue` to retrieve the sensitive secrets.
+
 ### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`)
 
 With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)).