MITRE ATT&CK Technique
Description
Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables. If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault) **Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-09-25T12:41:26.501Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may acquire credentials from cloud-native secret '
'management solutions such as AWS Secrets Manager, GCP Secret '
'Manager, Azure Key Vault, and Terraform Vault. \n'
'\n'
'Secrets managers support the secure centralized management of '
'passwords, API keys, and other credential material. Where '
'secrets managers are in use, cloud services can dynamically '
'acquire credentials via API requests rather than accessing '
'secrets insecurely stored in plain text files or environment '
'variables. \n'
'\n'
'If an adversary is able to gain sufficient privileges in a '
'cloud environment – for example, by obtaining the credentials '
'of high-privileged [Cloud '
'Accounts](https://attack.mitre.org/techniques/T1078/004) or '
'compromising a service that has permission to retrieve '
'secrets – they may be able to request secrets from the '
'secrets manager. This can be accomplished via commands such '
'as `get-secret-value` in AWS, `gcloud secrets describe` in '
'GCP, and `az key vault secret show` in Azure.(Citation: '
'Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel '
'2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google '
'Cloud Secrets)(Citation: Microsoft Azure Key Vault)\n'
'\n'
'**Note:** this technique is distinct from [Cloud Instance '
'Metadata API](https://attack.mitre.org/techniques/T1552/005) '
'in that the credentials are being directly requested from the '
'cloud secrets manager, rather than through the medium of the '
'instance metadata API.',
'external_references': [{'external_id': 'T1555.006',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1555/006'},
{'description': 'Alessandro Brucato. (2023, July 11). '
'SCARLETEEL 2.0: Fargate, Kubernetes, '
'and Crypto. Retrieved September 25, '
'2023.',
'source_name': 'Sysdig ScarletEel 2.0 2023',
'url': 'https://sysdig.com/blog/scarleteel-2-0/'},
{'description': 'AWS. (n.d.). Retrieve secrets from '
'AWS Secrets Manager. Retrieved '
'September 25, 2023.',
'source_name': 'AWS Secrets Manager',
'url': 'https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html'},
{'description': 'Google Cloud. (n.d.). List secrets '
'and view secret details. Retrieved '
'September 25, 2023.',
'source_name': 'Google Cloud Secrets',
'url': 'https://cloud.google.com/secret-manager/docs/view-secret-details'},
{'description': 'Ian Ahl. (2023, September 20). '
'LUCR-3: SCATTERED SPIDER GETTING '
'SAAS-Y IN THE CLOUD. Retrieved '
'September 25, 2023.',
'source_name': 'Permiso Scattered Spider 2023',
'url': 'https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud'},
{'description': 'Microsoft. (2023, January 13). '
'Quickstart: Set and retrieve a '
'secret from Azure Key Vault using '
'Azure CLI. Retrieved September 25, '
'2023.',
'source_name': 'Microsoft Azure Key Vault',
'url': 'https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli'}],
'id': 'attack-pattern--cfb525cc-5494-401d-a82b-2539ca46a561',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-04-15T22:03:00.834Z',
'name': 'Cloud Secrets Management Stores',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Martin McCloskey, Datadog'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS'],
'x_mitre_version': '1.0'}