Fetching latest headlines…
cybr.com [LAB] Introduction to Secrets Manager Enumeration (AWS Red Teaming)
NORTH AMERICA
πŸ‡ΊπŸ‡Έ United Statesβ€’July 5, 2026

cybr.com [LAB] Introduction to Secrets Manager Enumeration (AWS Red Teaming)

0 views0 likes0 comments
Originally published byDev.to

During a cloud security assessment, enumeration is a critical phase. It allows you to understand your current permissions, map out the available attack surface, and identify potential misconfigurations or exposed sensitive data. This writeup walks through a hands-on lab demonstrating how to perform credential enumeration, list secrets, and extract sensitive payloads using the AWS CLI.

Part 1: Initial Identity Enumeration

Every cloud security assessment begins with determining who you are in the environment. Using an acquired set of AWS access keys, the first step is to call the Security Token Service (STS) to get the current identity context.

aws sts get-caller-identity --profile SecretsManagerEnum

The command returns the following JSON structure:

{  
   "UserId": "AIDAQGYBPW3JHDS5K4A75",  
   "Account": "014498641618",  
   "Arn": "arn:aws:iam::014498641618:user/Julie"  
}

The output confirms that the credentials belong to an IAM user named Julie within account 014498641618.

Part 2: Privilege and Policy Assessment

Knowing the identity is Julie, the next objective is to find out what Julie is authorized to do. We query IAM to list the inline policies attached directly to this user account.

aws iam list-user-policies --user-name julie --profile SecretsManagerEnum
{  
   "PolicyNames": [  
       "AllowReadSecretsManager"  
   ]  
}

An inline policy named AllowReadSecretsManager exists. To view the exact permissions granted by this policy, we pull the specific policy document.

aws iam get-user-policy --user-name julie --policy-name AllowReadSecretsManager --profile

The policy details reveal three distinct permission blocks:

{
   "UserName": "julie",  
   "PolicyName": "AllowReadSecretsManager",  
   "PolicyDocument": {  
       "Version": "2012-10-17",  
       "Statement": [  
           {  
               "Action": [  
                   "iam:ListPolicies",  
                   "iam:ListPolicyVersions",  
                   "iam:GetPolicy",  
                   "iam:GetUser",  
                   "iam:GetUserPolicy",  
                   "iam:ListUserPolicies"  
               ],  
               "Effect": "Allow",  
               "Resource": "*",  
               "Sid": "AllowIAMActions"  
           },  
           {  
               "Action": [  
                   "secretsmanager:GetSecretValue",  
                   "secretsmanager:ListSecretVersionIds",  
                   "secretsmanager:GetResourcePolicy",  
                   "secretsmanager:DescribeSecret"  
               ],  
               "Effect": "Allow",  
               "Resource": [  
                   "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password*",  
                   "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key*"  
               ],  
               "Sid": "AllowSecretsManagerActions"  
           },  
           {  
               "Action": [  
                   "secretsmanager:ListSecrets"  
               ],  
               "Effect": "Allow",  
               "Resource": "*",  
               "Sid": "AllowListSecrets"  
           }  
       ]  
   }  
}

Policy Analysis

AllowIAMActions: Allows the user to perform read-only enumeration on IAM profiles and policies.

AllowListSecrets: Grants the ability to list all available metadata for secrets in this account across any resource path.

AllowSecretsManagerActions: Restricts the actual extraction of secret values exclusively to two target prefixes: sm-enumerate-password* and sm-enumerate-api-key*.

Part 3: Enumerating Secrets Manager

With verification that secretsmanager:ListSecrets is permitted globally, we execute a command to discover what secrets exist in the region.

aws secretsmanager list-secrets --profile

The output highlights two secrets matching the resource restrictions found in the IAM policy:

Secret Name: sm-enumerate-password

    ARN: arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password-cSojGz

Secret Name: sm-enumerate-api-key

    ARN: arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key-zShLNz

Part 4: Extracting and Decoding the Flag

Since the policy explicitly permits secretsmanager:GetSecretValue for these specific names, we can query the values directly.
Extracting the Password

aws secretsmanager get-secret-value --secret-id sm-enumerate-password --profile
{  
   "ARN": "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-password-cSojGz",  
   "Name": "sm-enumerate-password",  
   "SecretString": "{\"password\":\"cybr-labs-are-super-fun-2211\"}"
}

Extracting the API Key

aws secretsmanager get-secret-value --secret-id sm-enumerate-api-key --profile
{  
   "ARN": "arn:aws:secretsmanager:us-east-1:014498641618:secret:sm-enumerate-api-key-zShLNz",  
   "Name": "sm-enumerate-api-key",  
   "SecretString": "{\"secret-api-key\":\"Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy\"}"
}

The SecretString for the API key contains a Base64-encoded string: Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy.

Decoding the Flag

To complete the Capture the Flag challenge, the Base64 value must be passed to a decoder. Running this locally via Linux utility tools:

echo "Y3lici1sYWJzLWZha2UtYXBpLWtleS0xMTIy" | base64 -d

Decoded Capture the Flag Value:
cybr-labs-fake-api-key-1122

PWNSOME REFERENCES:

https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/#cli-aws-secretsmanager

Comments (0)

Sign in to join the discussion

Be the first to comment!