Detection rules › Panther
AWS Decrypt SSM Parameters
Identify principals retrieving a high number of SSM Parameters of type 'SecretString'. This rule filters out known administrative roles that legitimately need bulk parameter access.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1555 Credentials from Password Stores |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body yaml
AnalysisType: rule
Filename: aws_ssm_decrypt_ssm_params.py
RuleID: "AWS.SSM.DecryptSSMParams"
DisplayName: AWS Decrypt SSM Parameters
Enabled: true
LogTypes:
- AWS.CloudTrail
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0006:T1555
Stratus Red Team:
- aws.credential-access.ssm-retrieve-securestring-parameters
Description: >
Identify principals retrieving a high number of SSM Parameters of type 'SecretString'.
This rule filters out known administrative roles that legitimately need bulk parameter access.
Threshold: 25
Reference: >
https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters/
Runbook: |
1. Query CloudTrail for all GetParameter and GetParameters events by userIdentity.arn with requestParameters.withDecryption=true in the 4 hours around this alert to identify the complete list of accessed SSM parameters
2. Review the parameter names from the resources array to determine if they contain database credentials, API keys, or encryption keys, and assess the impact if those secrets are compromised
3. Search CloudTrail for other suspicious API calls by the same userIdentity.arn and sourceIPAddress in the 24 hours before the first parameter access, looking for privilege escalation, IAM changes, or unusual resource access
SummaryAttributes:
- sourceIpAddress
- p_alert_context.accessedParams
Tags:
- AWS CloudTrail
- 'Credential Access: Credentials from Password Stores'
Status: Experimental
Tests:
- Name: Single Secret Accessed in Single Event
ExpectedResult: true
Mocks:
- objectName: get_string_set
returnValue: '["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y"]'
- objectName: put_string_set
returnValue: ''
Log:
{
"p_event_time": "2025-02-14 19:43:09.000000000",
"p_log_type": "AWS.CloudTrail",
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "587e6d58-a653-4fd9-859f-367dc1bad98c",
"eventName": "GetParameter",
"eventSource": "ssm.amazonaws.com",
"eventTime": "2025-02-14 19:43:09.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.11",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "111122223333",
"requestID": "a1f28efd-9f5b-4a13-9878-86f57de594dc",
"requestParameters": {
"name": "/credentials/stratus-red-team/credentials-25",
"withDecryption": true
},
"resources": [
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-25"
}
],
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ssm.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "example-user-agent",
"userIdentity": {
"accessKeyId": "EXAMPLE_ACCESS_KEY",
"accountId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt",
"principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt",
"sessionContext": {
"attributes": {
"creationDate": "2025-02-14T19:42:05Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
"principalId": "SAMPLE_PRINCIPAL_ID",
"type": "Role",
"userName": "SampleRole"
}
},
"type": "AssumedRole"
}
}
- Name: Multiple Secrets Accessed in Same Event
ExpectedResult: true
Mocks:
- objectName: get_string_set
returnValue: '["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o"]'
- objectName: put_string_set
returnValue: ''
Log:
{
"p_event_time": "2025-02-14 19:42:57.000000000",
"p_log_type": "AWS.CloudTrail",
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "ce59873d-6a27-4fa4-afc1-088fceba71e4",
"eventName": "GetParameters",
"eventSource": "ssm.amazonaws.com",
"eventTime": "2025-02-14 19:42:57.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.11",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "111122223333",
"requestID": "b6cb0ea5-2366-47c3-a4e5-acc31bc6882a",
"requestParameters": {
"names": [
"/credentials/stratus-red-team/credentials-10",
"/credentials/stratus-red-team/credentials-11",
"/credentials/stratus-red-team/credentials-12",
"/credentials/stratus-red-team/credentials-15",
"/credentials/stratus-red-team/credentials-24",
"/credentials/stratus-red-team/credentials-30",
"/credentials/stratus-red-team/credentials-31",
"/credentials/stratus-red-team/credentials-32",
"/credentials/stratus-red-team/credentials-36",
"/credentials/stratus-red-team/credentials-40",
"/credentials/stratus-red-team/credentials-41",
],
"withDecryption": true
},
"resources": [
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-10"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-11"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-12"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-15"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-24"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-30"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-31"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-32"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-36"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-40"
}
],
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ssm.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "example-user-agent",
"userIdentity": {
"accessKeyId": "EXAMPLE_ACCESS_KEY",
"accountId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt",
"principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt",
"sessionContext": {
"attributes": {
"creationDate": "2025-02-14T19:42:05Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
"principalId": "SAMPLE_PRINCIPAL_ID",
"type": "Role",
"userName": "SampleRole"
}
},
"type": "AssumedRole"
}
}
- Name: Multiple Secrets Accessed in Same Event With Prior Cached Parameters
ExpectedResult: true
Mocks:
- objectName: get_string_set
returnValue: '["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u"]'
- objectName: put_string_set
returnValue: ''
Log:
{
"p_event_time": "2025-02-14 19:42:57.000000000",
"p_log_type": "AWS.CloudTrail",
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "ce59873d-6a27-4fa4-afc1-088fceba71e4",
"eventName": "GetParameters",
"eventSource": "ssm.amazonaws.com",
"eventTime": "2025-02-14 19:42:57.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.11",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "111122223333",
"requestID": "b6cb0ea5-2366-47c3-a4e5-acc31bc6882a",
"requestParameters": {
"names": [
"/credentials/stratus-red-team/credentials-10",
"/credentials/stratus-red-team/credentials-11",
"/credentials/stratus-red-team/credentials-12",
"/credentials/stratus-red-team/credentials-15",
"/credentials/stratus-red-team/credentials-24"
],
"withDecryption": true
},
"resources": [
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-10"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-11"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-12"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-15"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-24"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-30"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-31"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-32"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-36"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-40"
}
],
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ssm.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "example-user-agent",
"userIdentity": {
"accessKeyId": "EXAMPLE_ACCESS_KEY",
"accountId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt",
"principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt",
"sessionContext": {
"attributes": {
"creationDate": "2025-02-14T19:42:05Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
"principalId": "SAMPLE_PRINCIPAL_ID",
"type": "Role",
"userName": "SampleRole"
}
},
"type": "AssumedRole"
}
}
- Name: Accessed Parameters Aren't Encrypted
ExpectedResult: false
Mocks:
- objectName: get_string_set
returnValue: '[]'
- objectName: put_string_set
returnValue: ''
Log:
{
"p_event_time": "2025-02-14 19:42:57.000000000",
"p_log_type": "AWS.CloudTrail",
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "ce59873d-6a27-4fa4-afc1-088fceba71e4",
"eventName": "GetParameters",
"eventSource": "ssm.amazonaws.com",
"eventTime": "2025-02-14 19:42:57.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.11",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "111122223333",
"requestID": "b6cb0ea5-2366-47c3-a4e5-acc31bc6882a",
"requestParameters": {
"names": [
"/credentials/stratus-red-team/credentials-10",
"/credentials/stratus-red-team/credentials-11",
"/credentials/stratus-red-team/credentials-12",
"/credentials/stratus-red-team/credentials-15",
"/credentials/stratus-red-team/credentials-24",
"/credentials/stratus-red-team/credentials-30",
"/credentials/stratus-red-team/credentials-31",
"/credentials/stratus-red-team/credentials-32",
"/credentials/stratus-red-team/credentials-36",
"/credentials/stratus-red-team/credentials-40",
"/credentials/stratus-red-team/credentials-41",
]
},
"resources": [
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-10"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-11"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-12"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-15"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-24"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-30"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-31"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-32"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-36"
},
{
"accountId": "111122223333",
"arn": "arn:aws:ssm:us-west-2:111122223333:parameter/credentials/stratus-red-team/credentials-40"
}
],
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ssm.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "example-user-agent",
"userIdentity": {
"accessKeyId": "EXAMPLE_ACCESS_KEY",
"accountId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt",
"principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt",
"sessionContext": {
"attributes": {
"creationDate": "2025-02-14T19:42:05Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
"principalId": "SAMPLE_PRINCIPAL_ID",
"type": "Role",
"userName": "SampleRole"
}
},
"type": "AssumedRole"
}
}
- Name: Unrelated Event
ExpectedResult: false
Log:
{
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "6c6de06f-eb03-44cd-a95f-928a780ce28a",
"eventName": "DescribeParameters",
"eventSource": "ssm.amazonaws.com",
"eventTime": "2025-02-14 19:43:07.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.11",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "111122223333",
"requestID": "9ea104aa-d9af-415f-9c56-b7bb98c7c73f",
"requestParameters": {
"parameterFilters": [
{
"key": "Name",
"option": "Equals",
"values": [
"/credentials/stratus-red-team/credentials-1"
]
}
]
},
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ssm.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.2"
},
"userAgent": "example-user-agent",
"userIdentity": {
"accessKeyId": "EXAMPLE_ACCESS_KEY",
"accountId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/bobson.dugnutt",
"principalId": "SAMPLE_PRINCIPAL_ID:bobson.dugnutt",
"sessionContext": {
"attributes": {
"creationDate": "2025-02-14T19:42:05Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
"principalId": "SAMPLE_PRINCIPAL_ID",
"type": "Role",
"userName": "SampleRole"
}
},
"type": "AssumedRole"
}
}
Detection logic
Condition
eventName in ["GetParameter", "GetParameters"]
requestParameters.withDecryption is_not_null
userIdentity.sessionContext.sessionIssuer.userName not is_not_null
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
userIdentity.sessionContext.sessionIssuer.userName | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | in |
|
requestParameters.withDecryption | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |
actor_user |