From dbacc1c71594c7a19654cd049c0cc918acdcdd1c Mon Sep 17 00:00:00 2001 From: bryans3c Date: Mon, 6 Jul 2026 12:16:02 +0200 Subject: [PATCH 1/2] [New Rule] AWS Bedrock API Key Phantom User Activity Outside Bedrock --- ...phantom_user_activity_outside_bedrock.toml | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 rules/integrations/aws/privilege_escalation_bedrock_phantom_user_activity_outside_bedrock.toml diff --git a/rules/integrations/aws/privilege_escalation_bedrock_phantom_user_activity_outside_bedrock.toml b/rules/integrations/aws/privilege_escalation_bedrock_phantom_user_activity_outside_bedrock.toml new file mode 100644 index 00000000000..14e4aa9b7f8 --- /dev/null +++ b/rules/integrations/aws/privilege_escalation_bedrock_phantom_user_activity_outside_bedrock.toml @@ -0,0 +1,97 @@ +[metadata] +creation_date = "2026/07/06" +integration = ["aws"] +maturity = "production" +updated_date = "2026/07/06" + +[rule] +author = ["Elastic"] +description = """ +Identifies an Amazon Bedrock API key phantom user (an IAM user whose name starts with "BedrockAPIKey-") acting as the +caller of a non-Bedrock API request, such as IAM, STS, EC2, VPC, or KMS calls. These users are provisioned by AWS to back +a Bedrock bearer token and carry the AmazonBedrockLimitedAccess managed policy, which also grants IAM, VPC, and KMS +reconnaissance. A phantom user performing activity outside of Bedrock indicates its credentials are being used beyond +their intended scope, which is the privilege-escalation path realized: an attacker who created standard IAM access keys +for the phantom user is now using them for reconnaissance or lateral movement outside the Bedrock authentication boundary. +""" +false_positives = [ + """ + Bedrock API key phantom users are not intended to perform non-Bedrock activity, so matches should be rare. If a phantom + user is deliberately repurposed for other tasks, confirm the principal in "aws.cloudtrail.user_identity.arn" and the + activity, and exclude the identity after validation. + """, +] +from = "now-30m" +language = "esql" +license = "Elastic License v2" +name = "AWS Bedrock API Key Phantom User Activity Outside Bedrock" +note = """## Triage and analysis + +### Investigating AWS Bedrock API Key Phantom User Activity Outside Bedrock + +Amazon Bedrock API key phantom users ("BedrockAPIKey-*") exist only to back a Bedrock bearer token and carry the AmazonBedrockLimitedAccess managed policy. That policy grants Bedrock control-plane actions plus IAM, VPC, and KMS reconnaissance, so if an attacker adds standard IAM access keys (or a console login) to the phantom user, those credentials can be used for reconnaissance and lateral movement well beyond Bedrock. + +This rule fires when a "BedrockAPIKey-*" user is the caller of an API request whose service is not Bedrock. Because the phantom user has no legitimate reason to act outside Bedrock, such activity is the privilege-escalation path realized. + +### Possible investigation steps + +- Review "aws.cloudtrail.user_identity.arn", "event.provider", and "event.action" to understand what non-Bedrock activity the phantom user performed. +- Inspect "source.ip"/"source.as.number" and "user_agent.original", and determine whether the phantom user holds IAM access keys or a login profile (the escalation pivot). +- Review the full sequence of the phantom user's actions for reconnaissance (IAM/EC2/STS enumeration) or attempts to access other resources. +- Correlate with the credential-addition event (CreateAccessKey/CreateLoginProfile on the same user). + +### False positive analysis + +- Phantom users are not meant to perform non-Bedrock activity, so this should be rare. Validate any intentional repurposing before excluding the identity. + +### Response and remediation + +- If unauthorized, disable and remove the phantom user's IAM access keys and login profile, and delete the phantom user after preserving forensic evidence. +- Review the account for resources the phantom user may have accessed or modified. +- Deploy an SCP denying "iam:CreateAccessKey" and "iam:CreateLoginProfile" on "arn:aws:iam::*:user/BedrockAPIKey-*" to prevent the pivot. +""" +references = [ + "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-guide-api-keys-detection-response", + "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-api-keys", + "https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html", +] +risk_score = 73 +rule_id = "56788ae8-794b-4ade-affd-534aa5c9e28d" +setup = "This rule requires AWS CloudTrail logs ingested via the Elastic AWS integration. See https://docs.elastic.co/integrations/aws/cloudtrail for setup details." +severity = "high" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Data Source: Amazon Bedrock", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "esql" + +query = ''' +FROM logs-aws.cloudtrail-* METADATA _id, _version, _index +| WHERE aws.cloudtrail.user_identity.arn RLIKE """.*:user/BedrockAPIKey-.*""" + AND event.provider != "bedrock.amazonaws.com" + AND event.provider != "signin.amazonaws.com" +| KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.* +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" From 98181bb3cf61d21ccee2292028f0e0d0c14a235f Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 6 Jul 2026 12:32:35 +0200 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- ...calation_bedrock_phantom_user_activity_outside_bedrock.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/integrations/aws/privilege_escalation_bedrock_phantom_user_activity_outside_bedrock.toml b/rules/integrations/aws/privilege_escalation_bedrock_phantom_user_activity_outside_bedrock.toml index 14e4aa9b7f8..e14cc6f1c2b 100644 --- a/rules/integrations/aws/privilege_escalation_bedrock_phantom_user_activity_outside_bedrock.toml +++ b/rules/integrations/aws/privilege_escalation_bedrock_phantom_user_activity_outside_bedrock.toml @@ -61,7 +61,9 @@ setup = "This rule requires AWS CloudTrail logs ingested via the Elastic AWS int severity = "high" tags = [ "Domain: Cloud", + "Domain: LLM", "Data Source: AWS", + "Data Source: AWS CloudTrail", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Data Source: Amazon Bedrock", @@ -69,6 +71,7 @@ tags = [ "Tactic: Privilege Escalation", "Resources: Investigation Guide", ] +timestamp_override = "event.ingested" type = "esql" query = '''