heroui logo

AWS Bedrock AgentCore Execution Role Used Outside Its Runtime

Elastic Detection Rules

View Source
Summary
Identifies an Amazon Bedrock AgentCore execution role (an AssumedRole identity whose role name begins with "AgentCore-" or contains "BedrockAgentCore") performing its first AWS API call to a service outside the Bedrock runtime. Bedrock AgentCore runtimes normally interact only with Bedrock inference, the AgentCore data-plane, and observability services (CloudWatch Logs, X-Ray, CloudWatch metrics). A first-time call to a non-Bedrock service indicates that the execution role’s temporary credentials may have been exfiltrated from the sandbox (e.g., via IMDS in the Code Interpreter environment) and are being used for reconnaissance, privilege escalation, or lateral movement. The signal is tied to the execution role’s identity in CloudTrail, with anomalous service usage (not the identity) serving as the detection signal. The rule is implemented by querying CloudTrail data (aws.cloudtrail) for an AssumedRole with an issuer ARN matching AgentCore-* or BedrockAgentCore*, a first-time (first observed) non-Bedrock event provider, and a successful action. It excludes calls to Bedrock-related providers to reduce false positives. The rule feeds into MITRE ATT&CK mappings for Privilege Escalation and Cloud Account/Cloud Instance Metadata exposure (Credential Access). It requires CloudTrail logs ingested via the Elastic AWS integration and can be tuned by adjusting the AgentCore role-name filter. If unauthorized, respond by revoking sessions, rotating credentials, and tightening least-privilege and network controls for the execution role.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1078
  • T1078.004
  • T1552
  • T1552.005
Created: 2026-07-08