
AWS Bedrock AgentCore Runtime Prompt Targeting Credentials or Instance Metadata
Elastic Detection Rules
View SourceSummary
This rule detects prompt-based targeting of credentials or credential-related exfiltration attempts against Amazon Bedrock AgentCore runtimes. It inspects the caller-supplied prompt captured in the AgentCore runtime logs (aws.bedrock_agentcore.request_payload.prompt) and triggers when the runtime is invoked (InvokeAgentRuntime) with prompts that (a) reference the cloud instance metadata service endpoints (e.g., 169.254.169.254, ECS/task metadata addresses, or paths like /latest/meta-data and /security-credentials), (b) explicitly name AWS access keys or secret keys, or (c) combine jailbreak/prompt-injection language (e.g., “ignore previous instructions”, “developer mode”, “do anything now”) with intent to reveal secrets, access system prompts, or exfiltrate data. The rule models credential-access risk via MITRE ATT&CK mappings (T1552.005 Cloud Instance Metadata API under TA0006). It serves as a guardrail against weaponizing Bedrock agents for credential theft, even if the model refuses the request. False positives can arise from legitimate security testing or documentation content mentioning metadata or AWS key formats; contextual review of the prompt and source session is recommended. Remediation guidance emphasizes blocking unauthorized prompts, validating the originating identity, ensuring least-privilege execution, enabling IMDSv2 protections, and tightening guardrails to deter metadata access or exfiltration attempts.
Categories
- Cloud
- AWS
Data Sources
- Application Log
- Cloud Service
ATT&CK Techniques
- T1552
- T1552.005
Created: 2026-07-08