hacktricks-cloud/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md

AWS - Secrets Manager Post Exploitation

{{#include ../../../banners/hacktricks-training.md}}

Secrets Manager

For more information check:

{{#ref}} ../aws-services/aws-secrets-manager-enum.md {{#endref}}

Read Secrets

The secrets themself are sensitive information, check the privesc page to learn how to read them.

DoS Change Secret Value

Changing the value of the secret you could DoS all the system that depends on that value.

Warning

Note that previous values are also stored, so it's easy to just go back to the previous value.

# Requires permission secretsmanager:PutSecretValue
aws secretsmanager put-secret-value \
    --secret-id MyTestSecret \
    --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"

DoS Change KMS key

aws secretsmanager update-secret \
    --secret-id MyTestSecret \
    --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE

DoS Deleting Secret

The minimum number of days to delete a secret are 7

aws secretsmanager delete-secret \
    --secret-id MyTestSecret \
    --recovery-window-in-days 7

{{#include ../../../banners/hacktricks-training.md}}