AWS Bedrock API Key Used for Destructive or Anti-Recovery Action
Identifies an Amazon Bedrock API key (bearer token) being used to perform a destructive or anti-recovery control-plane action, such as deleting a guardrail, deleting a custom or imported model, removing provisioned throughput, or disabling model invocation logging. Bedrock API keys are bearer credentials intended for model invocation (InvokeModel, Converse); using one to delete Bedrock resources or disable logging is inconsistent with that purpose and is characteristic of LLMjacking or sabotage following key theft. Every Bedrock API key call is identifiable in CloudTrail by "additionalEventData.callWithBearerToken" being true. The rule matches regardless of outcome, because a destructive attempt via a bearer token is suspicious even when denied.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/07/06"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2026/07/06"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an Amazon Bedrock API key (bearer token) being used to perform a destructive or anti-recovery control-plane
11action, such as deleting a guardrail, deleting a custom or imported model, removing provisioned throughput, or disabling
12model invocation logging. Bedrock API keys are bearer credentials intended for model invocation (InvokeModel, Converse);
13using one to delete Bedrock resources or disable logging is inconsistent with that purpose and is characteristic of
14LLMjacking or sabotage following key theft. Every Bedrock API key call is identifiable in CloudTrail by
15"additionalEventData.callWithBearerToken" being true. The rule matches regardless of outcome, because a destructive
16attempt via a bearer token is suspicious even when denied.
17"""
18false_positives = [
19 """
20 Automation that intentionally manages Bedrock resources using an API key could match. Confirm the principal in
21 "aws.cloudtrail.user_identity.arn", the affected resource in "aws.cloudtrail.request_parameters", and whether the
22 change was expected. Known maintenance principals can be excluded after validation.
23 """,
24]
25from = "now-30m"
26language = "esql"
27license = "Elastic License v2"
28name = "AWS Bedrock API Key Used for Destructive or Anti-Recovery Action"
29note = """## Triage and analysis
30
31### Investigating AWS Bedrock API Key Used for Destructive or Anti-Recovery Action
32
33Amazon Bedrock API keys are bearer tokens created for model invocation. In CloudTrail, every request made with one carries "additionalEventData.callWithBearerToken" set to true, which distinguishes it from a standard SigV4-signed call. The AmazonBedrockLimitedAccess policy attached to Bedrock API key phantom users also permits destructive Bedrock control-plane actions, so a stolen or misused key can delete guardrails and models or disable logging.
34
35Using an API key to delete guardrails, custom or imported models, or provisioned throughput, or to disable model invocation logging, is inconsistent with the credential's purpose. It is characteristic of LLMjacking operations (which frequently disable guardrails and logging) or of sabotage following credential theft.
36
37### Possible investigation steps
38
39- Identify the specific action in "event.action" and the affected resource in "aws.cloudtrail.request_parameters".
40- Identify the principal in "aws.cloudtrail.user_identity.arn"/"aws.cloudtrail.user_identity.type" and review "source.ip", "source.as.number", and "user_agent.original"; generic HTTP clients (python-requests, aiohttp, curl) are a further LLMjacking indicator.
41- Review the same principal's other Bedrock API key activity for model-invocation spikes, cross-region use, or additional destructive actions.
42- Determine whether model invocation logging or guardrails were disabled, and when, to scope any window of reduced visibility.
43
44### False positive analysis
45
46- Sanctioned automation may manage Bedrock resources with an API key. Confirm the principal and change, and exclude known maintenance identities after validation.
47
48### Response and remediation
49
50- If unauthorized, revoke the Bedrock API key (attach an inline deny on "bedrock:CallWithBearerToken" to the phantom user or deactivate the service-specific credential) and restore the deleted resource or re-enable logging.
51- Check the phantom user for IAM access keys created as a persistence pivot and revoke them.
52- Review the principal's recent activity and prefer short-term keys or STS going forward.
53"""
54references = [
55 "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-guide-api-keys-detection-response",
56 "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-api-keys",
57 "https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html",
58]
59risk_score = 73
60rule_id = "89b68231-5134-4499-8eca-20e5d9c90cce"
61setup = "This rule requires AWS CloudTrail logs ingested via the Elastic AWS integration. See https://docs.elastic.co/integrations/aws/cloudtrail for setup details."
62severity = "high"
63tags = [
64 "Domain: Cloud",
65 "Data Source: AWS",
66 "Data Source: Amazon Web Services",
67 "Data Source: AWS CloudTrail",
68 "Data Source: Amazon Bedrock",
69 "Use Case: Threat Detection",
70 "Tactic: Impact",
71 "Tactic: Defense Evasion",
72 "Resources: Investigation Guide",
73]
74timestamp_override = "event.ingested"
75type = "esql"
76query = '''
77FROM logs-aws.cloudtrail-* METADATA _id, _version, _index
78| WHERE event.provider == "bedrock.amazonaws.com"
79 AND aws.cloudtrail.additional_eventdata RLIKE """.*callWithBearerToken=true.*"""
80 AND event.action IN (
81 "DeleteGuardrail",
82 "DeleteModelInvocationLoggingConfiguration",
83 "PutModelInvocationLoggingConfiguration",
84 "DeleteImportedModel",
85 "DeleteCustomModel",
86 "DeleteModelCustomizationJob",
87 "DeleteProvisionedModelThroughput",
88 "DeleteMarketplaceModelEndpoint"
89 )
90| KEEP _id, _version, _index, @timestamp, aws.*, cloud.*, event.*, source.*, user.*, user_agent.*
91'''
92
93
94[[rule.threat]]
95framework = "MITRE ATT&CK"
96[[rule.threat.technique]]
97id = "T1485"
98name = "Data Destruction"
99reference = "https://attack.mitre.org/techniques/T1485/"
100
101[rule.threat.tactic]
102id = "TA0040"
103name = "Impact"
104reference = "https://attack.mitre.org/tactics/TA0040/"
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1562"
110name = "Impair Defenses"
111reference = "https://attack.mitre.org/techniques/T1562/"
112[[rule.threat.technique.subtechnique]]
113id = "T1562.001"
114name = "Disable or Modify Tools"
115reference = "https://attack.mitre.org/techniques/T1562/001/"
116
117[rule.threat.tactic]
118id = "TA0005"
119name = "Defense Evasion"
120reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Investigating AWS Bedrock API Key Used for Destructive or Anti-Recovery Action
Amazon Bedrock API keys are bearer tokens created for model invocation. In CloudTrail, every request made with one carries "additionalEventData.callWithBearerToken" set to true, which distinguishes it from a standard SigV4-signed call. The AmazonBedrockLimitedAccess policy attached to Bedrock API key phantom users also permits destructive Bedrock control-plane actions, so a stolen or misused key can delete guardrails and models or disable logging.
Using an API key to delete guardrails, custom or imported models, or provisioned throughput, or to disable model invocation logging, is inconsistent with the credential's purpose. It is characteristic of LLMjacking operations (which frequently disable guardrails and logging) or of sabotage following credential theft.
Possible investigation steps
- Identify the specific action in "event.action" and the affected resource in "aws.cloudtrail.request_parameters".
- Identify the principal in "aws.cloudtrail.user_identity.arn"/"aws.cloudtrail.user_identity.type" and review "source.ip", "source.as.number", and "user_agent.original"; generic HTTP clients (python-requests, aiohttp, curl) are a further LLMjacking indicator.
- Review the same principal's other Bedrock API key activity for model-invocation spikes, cross-region use, or additional destructive actions.
- Determine whether model invocation logging or guardrails were disabled, and when, to scope any window of reduced visibility.
False positive analysis
- Sanctioned automation may manage Bedrock resources with an API key. Confirm the principal and change, and exclude known maintenance identities after validation.
Response and remediation
- If unauthorized, revoke the Bedrock API key (attach an inline deny on "bedrock:CallWithBearerToken" to the phantom user or deactivate the service-specific credential) and restore the deleted resource or re-enable logging.
- Check the phantom user for IAM access keys created as a persistence pivot and revoke them.
- Review the principal's recent activity and prefer short-term keys or STS going forward.
References
Related rules
- AWS Bedrock Knowledge Base or RAG Data Source Tampering
- AWS Bedrock Automated Reasoning Safety Policy Tampering
- AWS Bedrock Guardrail Deleted or Weakened
- AWS Bedrock Model Invocation Logging Disabled or Modified
- AWS Bedrock Provisioned Model Throughput Tampering