Delete Secret in Secrets Manager
An adversary may attempt to delete secrets stored in secrets manager, in order to negatively impact the function of an environment
|secretid||str||ID of secret to access, either ARN or friendly name||leonidas_created_secret|
aws secretsmanager list-secrets
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:DeleteSecret AND eventSource:*.secretsmanager.amazonaws.com
--- title: Delete Secret in Secrets Manager id: c8f201c3-705f-4897-8cab-c765eeb4b1a3 status: experimental author: Nick Jones date: 2020-06-18 description: An adversary may attempt to delete secrets stored in secrets manager, in order to negatively impact the function of an environment logsource: service: cloudtrail detection: selection_source: - eventSource: "*.secretsmanager.amazonaws.com" events: - eventName: "DeleteSecret" condition: selection_source AND events level: low tags: - attack.t1089