[New Rule] AWS IAM Credentials Added to a Bedrock API Key Phantom User#6384
Open
bryans3c wants to merge 2 commits into
Open
[New Rule] AWS IAM Credentials Added to a Bedrock API Key Phantom User#6384bryans3c wants to merge 2 commits into
bryans3c wants to merge 2 commits into
Conversation
Contributor
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Elastic detection rule to identify high-confidence privilege escalation/persistence behavior in AWS: adding standard IAM credentials (access keys or login profile) to Bedrock API key “phantom users” (BedrockAPIKey-*) created by the AWS Console.
Changes:
- Introduces a new ES|QL CloudTrail rule targeting
CreateAccessKey,CreateLoginProfile, andUpdateLoginProfileagainstBedrockAPIKey-*users. - Provides investigation guidance, false-positive rationale, and response recommendations tailored to the Bedrock phantom-user pivot.
| | WHERE event.provider == "iam.amazonaws.com" | ||
| AND event.action IN ("CreateAccessKey", "CreateLoginProfile", "UpdateLoginProfile") | ||
| AND event.outcome == "success" | ||
| AND aws.cloudtrail.request_parameters RLIKE """.*userName=BedrockAPIKey-.*""" |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Summary - What I changed
Detects a standard IAM access key or console login profile being added to an Amazon Bedrock API key phantom user (BedrockAPIKey-*).
When a long-term Bedrock API key is created via the AWS Console, AWS silently provisions a BedrockAPIKey- IAM user with the AmazonBedrockLimitedAccess policy. That user exists only to back a bearer token and should never hold a standard access key or interactive login. Adding one converts a Bedrock-scoped identity into general-purpose IAM credentials that inherit the policy's broad Bedrock + IAM/VPC/KMS reconnaissance permissions and persist after the Bedrock key is revoked. There is no legitimate workflow that produces this, so it is near-zero false positive.
https://www.beyondtrust.com/blog/entry/aws-bedrock-security-api-keys
https://www.beyondtrust.com/blog/entry/aws-bedrock-security-guide-api-keys-detection-response
How To Test
Query can be used in TRADE stack and other telemetry stacks.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist