Update aws-secrets-manager-privesc.md

carlospolop · web-flow · commit 9508f5048573 · 2025-10-04T11:03:30.000+02:00
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md
@@ -18,10 +18,11 @@ An attacker with this permission can get the **saved value inside a secret** in
 aws secretsmanager get-secret-value --secret-id <secret_name> # Get value
 ```
 
-`secretsmanager:BatchGetSecretValue` needs also `secretsmanager:GetSecretValue` to retrieve the secrets.
-
 **Potential Impact:** Access high sensitive data inside AWS secrets manager service.
 
+> [!WARNING]
+> Note that even with the `secretsmanager:BatchGetSecretValue` permission an atatcker would also need `secretsmanager:GetSecretValue` to retrieve the sensitive secrets.
+
 ### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`)
 
 With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)).
