
Summary
This rule detects misuse of an Amazon Bedrock API key phantom user (an IAM user named BedrockAPIKey-*) by identifying calls made outside the Bedrock service boundary. Bedrock API keys are backed by standard IAM keys and carry the AmazonBedrockLimitedAccess policy, which grants reconnaissance capabilities across Bedrock control-plane actions plus IAM, VPC, and KMS. If an attacker adds standard IAM access keys or a login profile to the phantom user and then uses them to call non-Bedrock APIs (such as IAM, STS, EC2, VPC, or KMS), the credentials are used beyond their intended Bedrock scope, representing a privilege-escalation path and potential lateral movement. The rule fires when CloudTrail data shows a BedrockAPIKey-* IAMUser calling a non-Bedrock provider, excluding benign no-op STS calls. Specifically, it looks for: aws.cloudtrail dataset with aws.cloudtrail.user_identity.type: IAMUser, user.name matching BedrockAPIKey-*, event.provider not in Bedrock-related providers, and event.action not in GetCallerIdentity/GetSessionToken/GetAccessKeyInfo. Excluding these no-ops reduces false positives from legitimate credential checks. The detection maps to MITRE ATT&CK technique T1078 (Valid Accounts) with subtechnique T1078.004 (Cloud Accounts) under Privilege Escalation, and is configured as a high-severity, risk-weighted alert. Investigation guidance includes reviewing event details (user_identity arn, event.provider, event.action), source IPs and user agents, and whether the phantom user has IAM access keys or a login profile. Correlate with any CreateAccessKey or CreateLoginProfile events for the same user. Remediation steps include disabling/removing the phantom user’s keys and login profile, deleting the phantom user after preserving forensics, and applying an SCP to prevent iam:CreateAccessKey and iam:CreateLoginProfile on BedrockAPIKey-* users. This rule requires CloudTrail data ingested via the Elastic AWS integration. False positives may occur from automation or SDKs performing benign non-Bedrock validation; such cases should be validated and sanctioned before marking as a real incident.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
ATT&CK Techniques
- T1078
- T1078.004
Created: 2026-07-06