AWS IAM Credentials Added to a Bedrock API Key Phantom User

Last updated 3 days ago on 2026-07-06
Created 3 days ago on 2026-07-06

About

Identifies standard IAM credentials being added to an Amazon Bedrock API key phantom user, whose user name starts with "BedrockAPIKey-": either a long-term access key (CreateAccessKey) or a console password / login profile (CreateLoginProfile, UpdateLoginProfile). When a long-term Bedrock API key is generated through the AWS Console, AWS silently provisions a "BedrockAPIKey-<id>" IAM user with the AmazonBedrockLimitedAccess managed policy. That user is intended only to back a Bedrock bearer token and should never hold standard programmatic keys or interactive console access. Adding either converts a Bedrock-scoped identity into general-purpose IAM credentials that inherit the policy's Bedrock control-plane and IAM, VPC, and KMS reconnaissance permissions and that persist after the Bedrock API key is revoked. This is the privilege-escalation and persistence pivot documented for Bedrock API key phantom users, and there is no legitimate workflow that produces it.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS IAMData Source: Amazon BedrockUse Case: Threat DetectionTactic: Privilege EscalationTactic: PersistenceLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

False Positive Examples
There is no known legitimate workflow that adds IAM access keys or console login profiles to a Bedrock API key phantom user. Any match should be investigated. Confirm the actor in "aws.cloudtrail.user_identity.arn" and the target user in "aws.cloudtrail.request_parameters", and remove the credential if it was not expected.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
FROM logs-aws.cloudtrail-* METADATA _id, _version, _index | WHERE event.provider == "iam.amazonaws.com" AND event.action IN ("CreateAccessKey", "CreateLoginProfile", "UpdateLoginProfile") AND event.outcome == "success" AND user.target.name LIKE "BedrockAPIKey-*" | KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.*

Install detection rules in Elastic Security

Detect AWS IAM Credentials Added to a Bedrock API Key Phantom User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).