heroui logo

AWS IAM Credentials Added to a Bedrock API Key Phantom User

Elastic Detection Rules

View Source
Summary
This rule detects privilege escalation and persistence attempts when AWS IAM credentials are added to a Bedrock API key phantom user (usernames starting with BedrockAPIKey-). It watches CloudTrail IAM events CreateAccessKey, CreateLoginProfile, and UpdateLoginProfile with a target user name matching BedrockAPIKey-*, and requires a successful outcome. A Bedrock API key is meant to be bound to a bearer token and should not have long‑term keys or console login capabilities; when such credentials are added, the phantom user gains broad Bedrock control‑plane permissions (IAM, VPC, KMS reconnaissance) and can persist even after the API key is revoked. There is no legitimate workflow that creates these credentials for BedrockAPIKey- users. The rule relies on CloudTrail data ingested via the Elastic AWS integration to flag suspicious activity for investigation, triage, and remediation.
Categories
  • Cloud
  • AWS
  • Identity Management
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1098
  • T1098.001
Created: 2026-07-06