AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key

  1[metadata]
  2creation_date = "2026/06/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when an AWS principal using long-term IAM user credentials (AKIA* access key) enumerates available Bedrock
 11foundation models and then invokes a model within the same 15-minute window. Most legitimate Bedrock workloads run under
 12IAM roles with short-lived credentials; the combination of model enumeration followed by direct model invocation from a
 13long-term IAM user key is unusual in production environments and consistent with an adversary using stolen credentials
 14to discover and exploit available AI model capabilities. This pattern is associated with LLMjacking attacks where threat
 15actors abuse compromised cloud credentials to run high-volume or high-cost model inference at the account owner's
 16expense.
 17"""
 18false_positives = [
 19    """
 20    First-time Bedrock onboarding by a developer using long-term IAM user credentials. Verify the requesting identity is
 21    a known engineer, the use case description is legitimate, and the model invocation follows expected application
 22    behavior. Consider migrating Bedrock workloads to IAM roles to eliminate this pattern.
 23    """,
 24]
 25from = "now-30m"
 26index = ["logs-aws.cloudtrail-*"]
 27interval = "10m"
 28language = "eql"
 29license = "Elastic License v2"
 30name = "AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key"
 31note = """## Triage and analysis
 32
 33### Investigating AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key
 34
 35This rule fires when the same long-term IAM user access key (AKIA*) calls `ListFoundationModels` and then
 36invokes a model within 15 minutes. This sequence — enumerate available models, then immediately use one — is
 37consistent with LLMjacking: an adversary using stolen IAM user credentials to discover and abuse available
 38AI model capabilities at the account owner's expense.
 39
 40Long-term access keys (`AKIA*` prefix) belong to IAM users, not roles. Legitimate Bedrock workloads in
 41production almost always run under IAM roles with short-lived credentials. A long-term key performing both
 42model discovery and invocation is unusual and warrants investigation.
 43
 44### Possible investigation steps
 45
 46- **Identify the key and owner**: Review `aws.cloudtrail.user_identity.arn` and
 47  `aws.cloudtrail.user_identity.access_key_id`. Determine who owns the key and whether it is authorized for
 48  Bedrock usage.
 49- **Check for credential exposure**: Search for the access key in source code, CI/CD logs, and secret scanning
 50  alerts. A key used from an unexpected source IP is a strong indicator of compromise.
 51- **Examine the invocation**: Review `aws.cloudtrail.request_parameters` on the `InvokeModel` event to identify
 52  which model was invoked. Cross-reference with Bedrock invocation logs for prompt and response content.
 53- **Correlate source IP and user agent**: Confirm `source.ip` and `user_agent.original` match the key owner's
 54  expected environment. Residential IPs, VPNs, or unexpected tools are suspicious.
 55- **Look for volume**: Check whether this is the first invocation or part of a burst of `InvokeModel` calls.
 56  High-volume invocations following enumeration are a strong LLMjacking signal.
 57
 58### False positive analysis
 59
 60- **Developer testing**: Engineers using long-term IAM user keys for local Bedrock development may trigger this
 61  rule when they first explore available models. Validate against a known developer identity and source IP.
 62  Encourage migration to IAM roles for all Bedrock workloads.
 63
 64### Response and remediation
 65
 66- Immediately disable or rotate the access key if compromise is suspected.
 67- Review all Bedrock invocations made by the key before and after this event.
 68- Check whether the same key accessed other AWS services (S3, EC2, Secrets Manager).
 69- Enforce IAM roles for all Bedrock workloads and restrict long-term key usage via SCP.
 70"""
 71references = [
 72    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListFoundationModels.html",
 73    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_InvokeModel.html",
 74]
 75risk_score = 73
 76rule_id = "a17f2e5f-de52-49e8-9d86-ccfe91cd54d4"
 77severity = "high"
 78tags = [
 79    "Domain: Cloud",
 80    "Domain: LLM",
 81    "Data Source: Amazon Web Services",
 82    "Data Source: AWS",
 83    "Data Source: AWS CloudTrail",    
 84    "Use Case: Identity and Access Audit",
 85    "Resources: Investigation Guide",
 86    "Tactic: Discovery",
 87    "Tactic: Initial Access",
 88]
 89timestamp_override = "event.ingested"
 90type = "eql"
 91
 92query = '''
 93sequence by aws.cloudtrail.user_identity.access_key_id with maxspan=15m
 94  [any where data_stream.dataset == "aws.cloudtrail"
 95    and event.provider == "bedrock.amazonaws.com"
 96    and event.action == "ListFoundationModels"
 97    and event.outcome == "success"
 98    and aws.cloudtrail.user_identity.access_key_id like "AKIA*"]
 99  [any where data_stream.dataset == "aws.cloudtrail"
100    and event.provider == "bedrock.amazonaws.com"
101    and event.action : ("InvokeModel", "InvokeModelWithResponseStream", "Converse", "ConverseStream")
102    and event.outcome == "success"]
103'''
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1526"
110name = "Cloud Service Discovery"
111reference = "https://attack.mitre.org/techniques/T1526/"
112
113
114[rule.threat.tactic]
115id = "TA0007"
116name = "Discovery"
117reference = "https://attack.mitre.org/tactics/TA0007/"
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1078"
122name = "Valid Accounts"
123reference = "https://attack.mitre.org/techniques/T1078/"
124[[rule.threat.technique.subtechnique]]
125id = "T1078.004"
126name = "Cloud Accounts"
127reference = "https://attack.mitre.org/techniques/T1078/004/"
128
129
130
131[rule.threat.tactic]
132id = "TA0001"
133name = "Initial Access"
134reference = "https://attack.mitre.org/tactics/TA0001/"
135
136[rule.investigation_fields]
137field_names = [
138    "@timestamp",
139    "user.name",
140    "user_agent.original",
141    "source.ip",
142    "aws.cloudtrail.user_identity.arn",
143    "aws.cloudtrail.user_identity.type",
144    "aws.cloudtrail.user_identity.access_key_id",
145    "event.action",
146    "event.provider",
147    "event.outcome",
148    "cloud.account.id",
149    "cloud.region",
150    "aws.cloudtrail.request_parameters",
151    "aws.cloudtrail.response_elements",
152    "aws.cloudtrail.additionalEventData.inputTokens",
153    "aws.cloudtrail.additionalEventData.outputTokens"
154]