I have created a cloudtrail for my secrets manager to actively monitor whenever a user retrieves a secret.
I can see that it is working in cloudtrail via the bottom snippet.
I have configured my cloudtrail as below.
I have created a rule in eventbridge to essentially accept everything
But i am not getting any events when i am retrieving a secret.
According to the AWS documentation
Events from API actions that start with the keywords List, Get, or Describe are not processed by EventBridge, with the exception of events from the following STS actions: GetFederationToken and GetSessionToken.
As a result, EventBridge won't process GetSecretValue events as it starts with the keyword Get
.
However, whenever someone tries to retrieve the secret value, behind-the-scenes the secretsmanager
calls KMS to decrypt
the secret value. So, you can rely on KMS API events to track the secret value access.
{
"source": ["aws.kms"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["kms.amazonaws.com"],
"eventName": ["Decrypt"],
"userIdentity": {
"invokedBy": ["secretsmanager.amazonaws.com"]
}
}
}