# AWS - Secrets Manager Post Exploitation

{{#include ../../../banners/hacktricks-training.md}}

## Secrets Manager

For more information check:

{{#ref}}
../aws-services/aws-secrets-manager-enum.md
{{#endref}}

### Read Secrets

The **secrets themself are sensitive information**, [check the privesc page](../aws-privilege-escalation/aws-secrets-manager-privesc.md) to learn how to read them.

### DoS Change Secret Value

Changing the value of the secret you could **DoS all the system that depends on that value.**

> [!WARNING]
> Note that previous values are also stored, so it's easy to just go back to the previous value.

```bash
# Requires permission secretsmanager:PutSecretValue
aws secretsmanager put-secret-value \
    --secret-id MyTestSecret \
    --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
```

### DoS Change KMS key

```bash
aws secretsmanager update-secret \
    --secret-id MyTestSecret \
    --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
```

### DoS Deleting Secret

The minimum number of days to delete a secret are 7

```bash
aws secretsmanager delete-secret \
    --secret-id MyTestSecret \
    --recovery-window-in-days 7
```

{{#include ../../../banners/hacktricks-training.md}}