AWS Secrets Manager Access

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)

Severity

Informational

Description

An attempt was made to retrieve secrets from AWS Secrets Manager.

Attacker's Goals

Exfiltrate sensitive secrets stored in AWS Secrets Manager.

Investigative actions

  • Investigate the secret's purpose and assess the sensitivity of its contents.
  • Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

Variations

Unusual AWS Secrets Manager Access

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)

Severity

Informational

Description

An attempt was made to retrieve secrets from AWS Secrets Manager.

Attacker's Goals

Exfiltrate sensitive secrets stored in AWS Secrets Manager.

Investigative actions

  • Investigate the secret's purpose and assess the sensitivity of its contents.
  • Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.