EXPLORE
← Back to Explore
elasticmediumTTP

AWS Bedrock Model Prompt or Completion Containing Credentials

Identifies an Amazon Bedrock model invocation whose prompt or completion contains an AWS access key identifier (AKIA long-term or ASIA temporary/STS, followed by 16 characters), an Amazon Bedrock API key (ABSK bearer token), or a PEM private-key block. Credentials in the model input mean an application or user is sending secrets to the model, exposing them to invocation logging, the model provider, and prompt history; credentials in the model output mean the model is emitting secrets, which can result from training-data leakage, poisoned context, or a prompt-injection-driven exfiltration attempt. Either case is a credential-exposure event that warrants immediate rotation of the affected secret.

MITRE ATT&CK

credential-access

Detection Query

from logs-aws_bedrock.invocation-* metadata _id, _version, _index
| where event.action in ("ConverseStream", "Converse") AND 
   ( gen_ai.prompt rlike """.*(AKIA|ASIA)[A-Z0-9]{16}.*"""
    or gen_ai.completion rlike """.*(AKIA|ASIA)[A-Z0-9]{16}.*"""
    or gen_ai.prompt rlike """.*-----BEGIN [A-Z ]*PRIVATE KEY-----.*"""
    or gen_ai.completion rlike """.*-----BEGIN [A-Z ]*PRIVATE KEY-----.*"""
    or gen_ai.prompt rlike """.*ABSK[A-Za-z0-9+/=]{20}.*"""
    or gen_ai.completion rlike """.*ABSK[A-Za-z0-9+/=]{20}.*"""
    or gen_ai.prompt rlike """.*gh[pousr]_[A-Za-z0-9]{36}.*"""
    or gen_ai.completion rlike """.*gh[pousr]_[A-Za-z0-9]{36}.*"""
    or gen_ai.prompt rlike """.*github_pat_[A-Za-z0-9_]+.*"""
    or gen_ai.completion rlike """.*github_pat_[A-Za-z0-9_]+.*"""
    or gen_ai.prompt rlike """.*glpat-[A-Za-z0-9_\\-]+.*"""
    or gen_ai.completion rlike """.*glpat-[A-Za-z0-9_\\-]+.*""")
| keep _id, _version, _index, @timestamp, gen_ai.*, aws_bedrock.*, user.*, cloud.*, event.*

Author

Elastic

Created

2026/07/08

Data Sources

AWS BedrockAmazon Web Services

Tags

Domain: LLMData Source: AWS BedrockData Source: Amazon Web ServicesUse Case: Threat DetectionMitre Atlas: LLM06Resources: Investigation GuideTactic: Credential Access
Raw Content
[metadata]
creation_date = "2026/07/08"
integration = ["aws_bedrock"]
maturity = "production"
updated_date = "2026/07/08"

[rule]
author = ["Elastic"]
description = """
Identifies an Amazon Bedrock model invocation whose prompt or completion contains an AWS access key identifier
(AKIA long-term or ASIA temporary/STS, followed by 16 characters), an Amazon Bedrock API key (ABSK bearer token),
or a PEM private-key block. Credentials in the model input mean an
application or user is sending secrets to the model, exposing them to invocation logging, the model provider, and
prompt history; credentials in the model output mean the model is emitting secrets, which can result from
training-data leakage, poisoned context, or a prompt-injection-driven exfiltration attempt. Either case is a
credential-exposure event that warrants immediate rotation of the affected secret.
"""
false_positives = [
    """
    Prompts or completions that reference example or documentation keys (for example the AWS sample access key ending
    in EXAMPLE) match the access-key pattern. Review the matched value in "gen_ai.prompt" or "gen_ai.completion" and
    confirm whether it is a live credential before responding.
    """,
]
from = "now-60m"
interval = "10m"
language = "esql"
license = "Elastic License v2"
name = "AWS Bedrock Model Prompt or Completion Containing Credentials"
note = """## Triage and analysis

### Investigating AWS Bedrock Model Prompt or Completion Containing Credentials

Bedrock model invocation logging records the full request and response of each InvokeModel/Converse call. This rule scans the decoded prompt and completion for live-credential patterns: AWS access key IDs (AKIA/ASIA followed by 16 characters) and PEM private-key headers. A credential in the prompt indicates secrets are being sent to the model (and persisted in logs and, for hosted models, to the provider); a credential in the completion indicates the model returned a secret, which is a sign of training-data or context leakage or a successful prompt-injection exfiltration.

### Possible investigation steps

- Review the matched value in "gen_ai.prompt" and "gen_ai.completion" and confirm whether it is a live credential or an example/placeholder.
- Identify the caller in "user.id" and the model in "aws_bedrock.invocation.model_id", and determine which application generated the invocation.
- If the credential is in the completion, review the prompt for injection or data-exfiltration instructions and check the model's knowledge base or context sources.
- Determine the scope and privileges of the exposed credential to gauge impact.

### False positive analysis

- Example or documentation keys (such as the AWS EXAMPLE key) match the pattern. Confirm the value is a real credential before escalating.

### Response and remediation

- If the credential is live, rotate or deactivate it immediately and review CloudTrail for any use of it.
- Identify and fix the application path that placed the credential into the prompt, and add input/output filtering (such as a Bedrock guardrail with a sensitive-information policy) to prevent recurrence.
"""
references = [
    "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-guide-api-keys-detection-response",
]
risk_score = 47
rule_id = "68521f99-9b4f-40ef-a4e7-4d74794852b2"
setup = "This rule requires Amazon Bedrock model invocation logs ingested via the Elastic AWS Bedrock integration, with text data delivery enabled in the Bedrock model-invocation-logging configuration."
severity = "medium"
tags = [
    "Domain: LLM",
    "Data Source: AWS Bedrock",
    "Data Source: Amazon Web Services",
    "Use Case: Threat Detection",
    "Mitre Atlas: LLM06",
    "Resources: Investigation Guide",
    "Tactic: Credential Access"
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
from logs-aws_bedrock.invocation-* metadata _id, _version, _index
| where event.action in ("ConverseStream", "Converse") AND 
   ( gen_ai.prompt rlike """.*(AKIA|ASIA)[A-Z0-9]{16}.*"""
    or gen_ai.completion rlike """.*(AKIA|ASIA)[A-Z0-9]{16}.*"""
    or gen_ai.prompt rlike """.*-----BEGIN [A-Z ]*PRIVATE KEY-----.*"""
    or gen_ai.completion rlike """.*-----BEGIN [A-Z ]*PRIVATE KEY-----.*"""
    or gen_ai.prompt rlike """.*ABSK[A-Za-z0-9+/=]{20}.*"""
    or gen_ai.completion rlike """.*ABSK[A-Za-z0-9+/=]{20}.*"""
    or gen_ai.prompt rlike """.*gh[pousr]_[A-Za-z0-9]{36}.*"""
    or gen_ai.completion rlike """.*gh[pousr]_[A-Za-z0-9]{36}.*"""
    or gen_ai.prompt rlike """.*github_pat_[A-Za-z0-9_]+.*"""
    or gen_ai.completion rlike """.*github_pat_[A-Za-z0-9_]+.*"""
    or gen_ai.prompt rlike """.*glpat-[A-Za-z0-9_\\-]+.*"""
    or gen_ai.completion rlike """.*glpat-[A-Za-z0-9_\\-]+.*""")
| keep _id, _version, _index, @timestamp, gen_ai.*, aws_bedrock.*, user.*, cloud.*, event.*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"