AWS Bedrock API Key Used for Destructive or Anti-Recovery Action

Identifies an Amazon Bedrock API key (bearer token) being used to perform a destructive or anti-recovery control-plane action, such as deleting a guardrail, deleting a custom or imported model, removing provisioned throughput, or disabling model invocation logging. Bedrock API keys are bearer credentials intended for model invocation (InvokeModel, Converse); using one to delete Bedrock resources or disable logging is inconsistent with that purpose and is characteristic of LLMjacking or sabotage following key theft. Every Bedrock API key call is identifiable in CloudTrail by "additionalEventData.callWithBearerToken" being true. The rule matches regardless of outcome, because a destructive attempt via a bearer token is suspicious even when denied.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/07/06"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/07/06"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an Amazon Bedrock API key (bearer token) being used to perform a destructive or anti-recovery control-plane
 11action, such as deleting a guardrail, deleting a custom or imported model, removing provisioned throughput, or disabling
 12model invocation logging. Bedrock API keys are bearer credentials intended for model invocation (InvokeModel, Converse);
 13using one to delete Bedrock resources or disable logging is inconsistent with that purpose and is characteristic of
 14LLMjacking or sabotage following key theft. Every Bedrock API key call is identifiable in CloudTrail by
 15"additionalEventData.callWithBearerToken" being true. The rule matches regardless of outcome, because a destructive
 16attempt via a bearer token is suspicious even when denied.
 17"""
 18false_positives = [
 19    """
 20    Automation that intentionally manages Bedrock resources using an API key could match. Confirm the principal in
 21    "aws.cloudtrail.user_identity.arn", the affected resource in "aws.cloudtrail.request_parameters", and whether the
 22    change was expected. Known maintenance principals can be excluded after validation.
 23    """,
 24]
 25from = "now-30m"
 26language = "esql"
 27license = "Elastic License v2"
 28name = "AWS Bedrock API Key Used for Destructive or Anti-Recovery Action"
 29note = """## Triage and analysis
 30
 31### Investigating AWS Bedrock API Key Used for Destructive or Anti-Recovery Action
 32
 33Amazon Bedrock API keys are bearer tokens created for model invocation. In CloudTrail, every request made with one carries "additionalEventData.callWithBearerToken" set to true, which distinguishes it from a standard SigV4-signed call. The AmazonBedrockLimitedAccess policy attached to Bedrock API key phantom users also permits destructive Bedrock control-plane actions, so a stolen or misused key can delete guardrails and models or disable logging.
 34
 35Using an API key to delete guardrails, custom or imported models, or provisioned throughput, or to disable model invocation logging, is inconsistent with the credential's purpose. It is characteristic of LLMjacking operations (which frequently disable guardrails and logging) or of sabotage following credential theft.
 36
 37### Possible investigation steps
 38
 39- Identify the specific action in "event.action" and the affected resource in "aws.cloudtrail.request_parameters".
 40- Identify the principal in "aws.cloudtrail.user_identity.arn"/"aws.cloudtrail.user_identity.type" and review "source.ip", "source.as.number", and "user_agent.original"; generic HTTP clients (python-requests, aiohttp, curl) are a further LLMjacking indicator.
 41- Review the same principal's other Bedrock API key activity for model-invocation spikes, cross-region use, or additional destructive actions.
 42- Determine whether model invocation logging or guardrails were disabled, and when, to scope any window of reduced visibility.
 43
 44### False positive analysis
 45
 46- Sanctioned automation may manage Bedrock resources with an API key. Confirm the principal and change, and exclude known maintenance identities after validation.
 47
 48### Response and remediation
 49
 50- If unauthorized, revoke the Bedrock API key (attach an inline deny on "bedrock:CallWithBearerToken" to the phantom user or deactivate the service-specific credential) and restore the deleted resource or re-enable logging.
 51- Check the phantom user for IAM access keys created as a persistence pivot and revoke them.
 52- Review the principal's recent activity and prefer short-term keys or STS going forward.
 53"""
 54references = [
 55    "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-guide-api-keys-detection-response",
 56    "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-api-keys",
 57    "https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html",
 58]
 59risk_score = 73
 60rule_id = "89b68231-5134-4499-8eca-20e5d9c90cce"
 61setup = "This rule requires AWS CloudTrail logs ingested via the Elastic AWS integration. See https://docs.elastic.co/integrations/aws/cloudtrail for setup details."
 62severity = "high"
 63tags = [
 64    "Domain: Cloud",
 65    "Data Source: AWS",
 66    "Data Source: Amazon Web Services",
 67    "Data Source: AWS CloudTrail",
 68    "Data Source: Amazon Bedrock",
 69    "Use Case: Threat Detection",
 70    "Tactic: Impact",
 71    "Tactic: Defense Evasion",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "esql"
 76query = '''
 77FROM logs-aws.cloudtrail-* METADATA _id, _version, _index
 78| WHERE event.provider == "bedrock.amazonaws.com"
 79    AND aws.cloudtrail.additional_eventdata RLIKE """.*callWithBearerToken=true.*"""
 80    AND event.action IN (
 81        "DeleteGuardrail",
 82        "DeleteModelInvocationLoggingConfiguration",
 83        "PutModelInvocationLoggingConfiguration",
 84        "DeleteImportedModel",
 85        "DeleteCustomModel",
 86        "DeleteModelCustomizationJob",
 87        "DeleteProvisionedModelThroughput",
 88        "DeleteMarketplaceModelEndpoint"
 89    )
 90| KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.*
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1485"
 98name = "Data Destruction"
 99reference = "https://attack.mitre.org/techniques/T1485/"
100
101[rule.threat.tactic]
102id = "TA0040"
103name = "Impact"
104reference = "https://attack.mitre.org/tactics/TA0040/"
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1562"
110name = "Impair Defenses"
111reference = "https://attack.mitre.org/techniques/T1562/"
112[[rule.threat.technique.subtechnique]]
113id = "T1562.001"
114name = "Disable or Modify Tools"
115reference = "https://attack.mitre.org/techniques/T1562/001/"
116
117[rule.threat.tactic]
118id = "TA0005"
119name = "Defense Evasion"
120reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Investigating AWS Bedrock API Key Used for Destructive or Anti-Recovery Action

Amazon Bedrock API keys are bearer tokens created for model invocation. In CloudTrail, every request made with one carries "additionalEventData.callWithBearerToken" set to true, which distinguishes it from a standard SigV4-signed call. The AmazonBedrockLimitedAccess policy attached to Bedrock API key phantom users also permits destructive Bedrock control-plane actions, so a stolen or misused key can delete guardrails and models or disable logging.

Using an API key to delete guardrails, custom or imported models, or provisioned throughput, or to disable model invocation logging, is inconsistent with the credential's purpose. It is characteristic of LLMjacking operations (which frequently disable guardrails and logging) or of sabotage following credential theft.

Possible investigation steps

  • Identify the specific action in "event.action" and the affected resource in "aws.cloudtrail.request_parameters".
  • Identify the principal in "aws.cloudtrail.user_identity.arn"/"aws.cloudtrail.user_identity.type" and review "source.ip", "source.as.number", and "user_agent.original"; generic HTTP clients (python-requests, aiohttp, curl) are a further LLMjacking indicator.
  • Review the same principal's other Bedrock API key activity for model-invocation spikes, cross-region use, or additional destructive actions.
  • Determine whether model invocation logging or guardrails were disabled, and when, to scope any window of reduced visibility.

False positive analysis

  • Sanctioned automation may manage Bedrock resources with an API key. Confirm the principal and change, and exclude known maintenance identities after validation.

Response and remediation

  • If unauthorized, revoke the Bedrock API key (attach an inline deny on "bedrock:CallWithBearerToken" to the phantom user or deactivate the service-specific credential) and restore the deleted resource or re-enable logging.
  • Check the phantom user for IAM access keys created as a persistence pivot and revoke them.
  • Review the principal's recent activity and prefer short-term keys or STS going forward.

References

Related rules

to-top