Skip to main content

Secret Blast Radius

Secret blast radius answers: "If this secret is compromised, how much sensitive data is exposed?"

Standard scanners check if a secret is rotated. Stave checks if that secret is a master key to sensitive data — and how many principals have access to it.

The secret-to-data path

Principal → secretsmanager:GetSecretValue → DB Credentials → RDS (PHI)

A secret in Secrets Manager is a direct path to the data it unlocks. The number of principals who can read the secret determines the blast radius — each reader is a potential credential compromise path that bypasses IAM least privilege on the data resource itself.

How it works

The extractor identifies secrets, maps them to target resources, and counts the principals with secretsmanager:GetSecretValue:

properties:
secret:
kind: secret
blast_radius:
target_resource_id: "arn:aws:rds:us-east-1:123:db/prod"
target_sensitivity: phi
privileged_reader_count: 7
access_vector: cross_account
is_rotated: false

Controls

CTL.SECRET.BLAST.001 — Multiple readers targeting sensitive resource

Fires when: privileged_reader_count > 3
AND target_sensitivity in [phi, pii, confidential]
Severity: critical

Too many principals can read a secret that unlocks sensitive data. Each reader is an independent credential compromise vector.

Remediation: Reduce readers to minimum required. Use resource-based policies on the secret. Enable automatic rotation.

CTL.SECRET.BLAST.002 — Cross-account access to sensitive secret

Fires when: access_vector == "cross_account"
AND target_sensitivity in [phi, pii, confidential]
Severity: critical

A secret targeting sensitive data is readable from another AWS account, doubling the blast radius.

Remediation: Remove cross-account access. If required, restrict to specific role ARNs with external ID conditions.

Safety chain: compromised_secret_path

id: compromised_secret_path
controls:
- CTL.SECRET.BLAST.001
- CTL.SECRET.BLAST.002
- CTL.SECRETSMANAGER.ACCESS.001
escalation_threshold: 2
compound_severity: critical

Key files

FilePurpose
controls/secretsmanager/blast/CTL.SECRET.BLAST.001-002.yaml2 blast radius controls
chains/compromised_secret_path.yamlCompound chain definition