One call empties your Secrets Manager
AWS Secrets Manager holds the database passwords and API keys that unlock everything else. With broad read permission, an attacker lists and retrieves every secret in seconds. Here is the exfil, and the fix.
The service that keeps your other credentials safe is only as safe as the permission to read it.
What it is
AWS Secrets Manager stores credentials that applications retrieve at runtime. An identity with broad secretsmanager:ListSecrets and GetSecretValue can enumerate and read every secret in the account, then use those database passwords, API keys, and tokens to move laterally wherever they work. This is T1552 (unsecured credentials) into T1555 (credentials from password stores).
Why it works
Applications read individual secrets all day, so a burst of reads can blend in unless you watch for breadth, and once read, the secrets stay valid until rotated.
How to detect it
In CloudTrail, look for ListSecrets plus many GetSecretValue calls in a short window from an identity or IP that does not normally read them.
The fix that holds
Least-privilege secret access per identity and per secret (resource policies), alert on bulk GetSecretValue, use VPC endpoints, and rotate secrets regularly. Treat a dump as a keys-to-the-kingdom event and rotate everything that was read.
Practice it
We built a Secrets Manager mass-theft scenario in GraphLattice Range so teams learn to catch the bulk read and run the rotation recovery requires.