Merge pull request #217 from JaimePolop/master

carlospolop · web-flow · commit e9003a305019 · 2025-10-01T12:22:35.000+02:00
KMS DOS explanation
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
@@ -30,6 +30,12 @@ aws secretsmanager put-secret-value \
 
 ### DoS Change KMS key
 
+If the attacker has the secretsmanager:UpdateSecret permission, they can configure the secret to use a KMS key owned by the attacker. That key is initially set up in such a way that anyone can access and use it, so updating the secret with the new key is possible. If the key was not accessible, the secret could not be updated.
+
+After changing the key for the secret, the attacker modifies the configuration of their key so that only they can access it. This way, in the subsequent versions of the secret, it will be encrypted with the new key, and since there is no access to it, the ability to retrieve the secret would be lost.
+
+It is important to note that this inaccessibility will only occur in later versions, after the content of the secret changes, since the current version is still encrypted with the original KMS key.
+
 ```bash
 aws secretsmanager update-secret \
     --secret-id MyTestSecret \
