{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-bedrock/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Bedrock","AWS IAM","AWS STS","AWS EC2","AWS VPC","AWS KMS"],"_cs_severities":["high"],"_cs_tags":["cloud-security","privilege-escalation","aws","bedrock","iam"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief details a privilege escalation scenario involving the misuse of Amazon Bedrock API key phantom users within an AWS environment. These phantom users, identified by names starting with \u0026quot;BedrockAPIKey-\u0026quot;, are automatically provisioned by AWS to support Bedrock bearer tokens and come with the \u003ccode\u003eAmazonBedrockLimitedAccess\u003c/code\u003e managed policy. While this policy grants Bedrock control-plane actions, it also inadvertently allows reconnaissance capabilities across IAM, VPC, and KMS services. An attacker who has already gained initial access to the AWS account can exploit this by creating standard IAM access keys or a console login for these phantom users. Once these credentials are obtained, the attacker can leverage the phantom user's inherent permissions to perform reconnaissance, gather information, and potentially move laterally beyond the Bedrock authentication boundary, extending their access and control over the AWS infrastructure. This activity represents a realized privilege escalation, enabling broader access than initially intended for an inference-only Bedrock API key.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to an AWS account or role with permissions to create or modify IAM user credentials (e.g., \u003ccode\u003eiam:CreateAccessKey\u003c/code\u003e, \u003ccode\u003eiam:CreateLoginProfile\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker identifies an existing AWS Bedrock API key phantom user (an IAM user whose name starts with \u0026quot;BedrockAPIKey-*\u0026quot;).\u003c/li\u003e\n\u003cli\u003eAttacker creates new standard IAM access keys or a console login profile for the targeted \u0026quot;BedrockAPIKey-*\u0026quot; phantom user.\u003c/li\u003e\n\u003cli\u003eAttacker obtains the newly created IAM access keys or console login credentials.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised \u0026quot;BedrockAPIKey-*\u0026quot; credentials to make API calls to non-Bedrock AWS services (e.g., IAM, EC2, STS, VPC, KMS) for reconnaissance and enumeration of resources.\u003c/li\u003e\n\u003cli\u003eBased on the information gathered during reconnaissance, the attacker performs lateral movement, accesses sensitive resources, or exfiltrates data from the AWS environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf this attack succeeds, an attacker can significantly expand their foothold within an AWS environment. By leveraging the \u003ccode\u003eAmazonBedrockLimitedAccess\u003c/code\u003e policy, which includes reconnaissance permissions for IAM, VPC, and KMS, the attacker can enumerate critical cloud resources and identify potential targets for further compromise. This bypasses the intended scope of the Bedrock API key, allowing unauthorized access to services and data beyond Bedrock. The consequence can range from unauthorized data exposure and modification to complete compromise of critical cloud infrastructure, leading to operational disruption, financial loss, and compliance failures. The attack can affect any AWS account using Bedrock API keys where the ability to create new credentials for phantom users is not adequately restricted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS Bedrock API Key Phantom User Activity Outside Bedrock\u0026quot; to your SIEM to detect when \u003ccode\u003eBedrockAPIKey-*\u003c/code\u003e users make API calls to non-Bedrock services.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts from the Sigma rule by reviewing \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003eevent.provider\u003c/code\u003e, and \u003ccode\u003eevent.action\u003c/code\u003e to understand the scope of the non-Bedrock activity.\u003c/li\u003e\n\u003cli\u003eInspect \u003ccode\u003esource.ip\u003c/code\u003e and \u003ccode\u003euser_agent.original\u003c/code\u003e for reported phantom user activity to identify the source of the anomalous calls and determine if standard IAM access keys or a login profile are being used.\u003c/li\u003e\n\u003cli\u003eCorrelate anomalous phantom user activity with \u003ccode\u003eCreateAccessKey\u003c/code\u003e or \u003ccode\u003eCreateLoginProfile\u003c/code\u003e events for the same \u003ccode\u003eBedrockAPIKey-*\u003c/code\u003e user to identify the escalation pivot.\u003c/li\u003e\n\u003cli\u003eIf unauthorized activity is confirmed, disable and remove the phantom user's IAM access keys and login profile.\u003c/li\u003e\n\u003cli\u003eDeploy AWS Service Control Policies (SCPs) to deny \u003ccode\u003eiam:CreateAccessKey\u003c/code\u003e and \u003ccode\u003eiam:CreateLoginProfile\u003c/code\u003e actions on resources matching the \u003ccode\u003earn:aws:iam::*:user/BedrockAPIKey-*\u003c/code\u003e pattern to prevent this privilege escalation path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T21:46:12Z","date_published":"2026-07-08T21:46:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-phantom-user-activity/","summary":"An Amazon Bedrock API key phantom user (IAM user starting with 'BedrockAPIKey-*') performing non-Bedrock API calls, such as to IAM, STS, EC2, VPC, or KMS, indicates credential misuse and realized privilege escalation by an attacker using added standard IAM access keys for reconnaissance or lateral movement beyond the intended Bedrock authentication boundary.","title":"AWS Bedrock API Key Phantom User Activity Outside Bedrock","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-phantom-user-activity/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Bedrock","version":"https://jsonfeed.org/version/1.1"}