AWS Bedrock AgentCore Execution Role Used Outside Its Runtime

Last updated 11 days ago on 2026-07-08
Created 11 days ago on 2026-07-08

About

Identifies an Amazon Bedrock AgentCore execution role (an AssumedRole identity whose role name begins with "AgentCore-" or contains "BedrockAgentCore") making an AWS API call to a service it has not previously called. AgentCore runtimes normally interact only with Bedrock inference, AgentCore data-plane, and observability services (CloudWatch Logs, X-Ray, CloudWatch metrics), so an execution role suddenly calling STS, EC2, IAM, Secrets Manager, or other services is a strong indicator that the role's temporary credentials were exfiltrated from the agent's microVM (for example, via the Code Interpreter instance-metadata-service credential theft) and are being used outside the runtime for reconnaissance, privilege escalation, or lateral movement. Because the stolen credentials are recorded in CloudTrail under the execution role's own identity, the anomalous service usage, not the identity, is the detectable signal.
Tags
Domain: CloudData Source: AWSData Source: AWS CloudTrailData Source: Amazon Web ServicesData Source: Amazon BedrockUse Case: Threat DetectionTactic: Privilege EscalationTactic: Credential AccessLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

False Positive Examples
An AgentCore agent that legitimately integrates with additional AWS services will produce a first-time service call for its execution role. Verify the role in "aws.cloudtrail.user_identity.session_context.session_issuer.arn", the action in "event.action" and "event.provider", and the origin in "source.ip" and "source.as.organization.name", and confirm the activity matches the agent's intended design. Known agent integrations can be excluded after validation.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail" and aws.cloudtrail.user_identity.type: "AssumedRole" and aws.cloudtrail.user_identity.session_context.session_issuer.arn: (*role/AgentCore-* or *role/*BedrockAgentCore*) and event.outcome: "success" and not event.provider: ( "bedrock.amazonaws.com" or "bedrock-runtime.amazonaws.com" or "bedrock-agentcore.amazonaws.com" or "bedrock-agentcore-control.amazonaws.com" or "logs.amazonaws.com" or "xray.amazonaws.com" or "monitoring.amazonaws.com" or "ecr.amazonaws.com" or "ecr-public.amazonaws.com" )

Install detection rules in Elastic Security

Detect AWS Bedrock AgentCore Execution Role Used Outside Its Runtime in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).