During a cloud security assessment, enumeration is a critical phase. It allows you to understand your current permissions, map out the available attack surface, and identify potential misconfigurations or exposed sensitive data. This writeup walks through a hands-on lab demonstrating how to perform credential enumeration, list secrets, and extract sensitive payloads using the AWS CLI.
Part 1: Initial Identity Enumeration
Every cloud security assessment begins with determining who you are in the environment. Using an acquired set of AWS access keys, the first step is to call the Security Token Service (STS) to get the current identity context.
aws sts get-caller-identity --profile SecretsManagerEnum
The command returns the following JSON structure:
{
"UserId": "AIDAQGYBPW3JHDS5K4A75",
"Account": "014498641618",
"Arn": "arn:aws:iam::014498641618:user/Julie"
}
The output confirms that the credentials belong to an IAM user named Julie within account 014498641618.
Part 2: Privilege and Policy Assessment
Knowing the identity is Julie, the next objective is to find out what Julie is authorized to do. We query IAM to list the inline policies attached directly to this user account.
aws iam list-user-policies --user-name julie --profile SecretsManagerEnum
{
"PolicyNames": [
"AllowReadSecretsManager"
]
}
An inline policy named AllowReadSecretsManager exists. To view the exact permissions granted by this policy, we pull the specific policy document.
aws iam get-user-policy --user-name julie --policy-name AllowReadSecretsManager --profile
The policy details reveal three distinct permission blocks:
{
"UserName": "julie",
"PolicyName": "AllowReadSecretsManager",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:GetPolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListUserPolicies"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowIAMActions"
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:GetResourcePolicy",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": [
"arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password*",
"arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key*"
],
"Sid": "AllowSecretsManagerActions"
},
{
"Action": [
"secretsmanager:ListSecrets"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowListSecrets"
}
]
}
}
Policy Analysis
AllowIAMActions: Allows the user to perform read-only enumeration on IAM profiles and policies.
AllowListSecrets: Grants the ability to list all available metadata for secrets in this account across any resource path.
AllowSecretsManagerActions: Restricts the actual extraction of secret values exclusively to two target prefixes: sm-enumerate-password* and sm-enumerate-api-key*.
Part 3: Enumerating Secrets Manager
With verification that secretsmanager:ListSecrets is permitted globally, we execute a command to discover what secrets exist in the region.
aws secretsmanager list-secrets --profile
The output highlights two secrets matching the resource restrictions found in the IAM policy:
Secret Name: sm-enumerate-password
ARN: arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password-cSojGz
Secret Name: sm-enumerate-api-key
ARN: arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key-zShLNz
Part 4: Extracting and Decoding the Flag
Since the policy explicitly permits secretsmanager:GetSecretValue for these specific names, we can query the values directly.
Extracting the Password
aws secretsmanager get-secret-value --secret-id sm-enumerate-password --profile
{
"ARN": "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password-cSojGz",
"Name": "sm-enumerate-password",
"SecretString": "{\"password\":\"cybr-labs-are-super-fun-2211\"}"
}
Extracting the API Key
aws secretsmanager get-secret-value --secret-id sm-enumerate-api-key --profile
{
"ARN": "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key-zShLNz",
"Name": "sm-enumerate-api-key",
"SecretString": "{\"secret-api-key\":\"Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy\"}"
}
The SecretString for the API key contains a Base64-encoded string: Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy.
Decoding the Flag
To complete the Capture the Flag challenge, the Base64 value must be passed to a decoder. Running this locally via Linux utility tools:
echo "Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy" | base64 -d
Decoded Capture the Flag Value:
cybr-labs-fake-api-key-1122
PWNSOME REFERENCES:
https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/#cli-aws-secretsmanager
United States
NORTH AMERICA
Related News
π I Built a Dropshipping Automation Pipeline β Here's What I Learned (and What I'd Do Differently)
10h ago
How I Cut My LLM API Bill by 40x: A Freelancer's Migration Story
10h ago

Mattress Firm Coupons: Save up to $600
3h ago
Google Ordered to Pay $2 Billion For Anti-Competitive Practices By Swedish Court
20h ago
The Censorship Wall: Why Every AI Companion App Ends Up Filtering You
20h ago