DET0130 Detect Unauthorized Access to Cloud Secrets Management Stores

Item	Value
ID	DET0130
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1555.006 (Cloud Secrets Management Stores)

Analytics

IaaS

AN0366

Detection of suspicious access to cloud-native secret management systems (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault). Focuses on abnormal secret retrieval activity, such as secrets being accessed by unusual identities, from unexpected regions, outside business hours, or at high volume. Correlates API calls to secret retrieval with surrounding authentication events, role assumptions, and anomalous execution patterns.

Log Sources

Data Component	Name	Channel
Cloud Service Enumeration (DC0083)	AWS:CloudTrail	GetSecretValue

Mutable Elements

Field	Description
PrivilegedRoles	Set of accounts or roles allowed to retrieve secrets; deviations may indicate misuse.
TimeWindow	Temporal window to correlate secret access with authentication and anomalous context.
AccessPatterns	Expected frequency and volume of secret retrievals per user/service; anomalies may indicate exfiltration.
RegionConstraints	Regions in which secret access is expected; access from unusual geographies may indicate compromise.