EXPLORE
← Back to Explore
elastichighTTP

AWS Bedrock AgentCore Runtime Prompt Targeting Credentials or Instance Metadata

Identifies prompts sent to an Amazon Bedrock AgentCore runtime that attempt to harvest credentials or coerce the agent into exfiltrating data. The runtime application logs capture the caller-supplied prompt; this rule flags prompts that reference the cloud instance metadata service (169.254.169.254, the ECS task metadata address, or the "latest/meta-data" / "security-credentials" paths), prompts that name AWS access or secret keys directly, and prompt-injection or jailbreak language ("ignore previous instructions", "developer mode", "do anything now") combined with intent to reveal secrets, system prompts, or send data to an external endpoint. Asking an agent to read instance metadata credentials or to exfiltrate secrets is rarely legitimate and indicates an attempt to weaponize the agent for credential theft, even when the model refuses the request.

MITRE ATT&CK

credential-access

Detection Query

from logs-aws_bedrock_agentcore.runtime_application_logs-* metadata _id, _version, _index
| eval Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower = to_lower(aws.bedrock_agentcore.request_payload.prompt)
| where aws.bedrock_agentcore.operation == "InvokeAgentRuntime" and (
    Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower rlike """.*(169\.254\.169\.254|169\.254\.170\.2|/latest/meta-data|/latest/api/token|security-credentials).*"""
    or Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower rlike """.*(aws_secret_access_key|aws_access_key_id|secret access key|access key id).*"""
    or (
        Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower rlike """.*(ignore (all )?(your )?(previous|prior|above) instructions|disregard (your |the )?(previous |above )?instructions|developer mode|do anything now|jailbreak).*"""
        and Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower rlike """.*(system prompt|reveal|exfiltrate|credential|secret|password|api key|token|send .* to https?://).*"""
    )
  )
| keep _id, _version, _index, @timestamp, aws.*, cloud.*, event.*

Author

Elastic

Created

2026/07/08

Data Sources

AWSAmazon Web ServicesAmazon Bedrock

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: Amazon BedrockUse Case: Threat DetectionTactic: Credential AccessResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/07/08"
integration = ["aws_bedrock_agentcore"]
maturity = "production"
updated_date = "2026/07/08"

[rule]
author = ["Elastic"]
description = """
Identifies prompts sent to an Amazon Bedrock AgentCore runtime that attempt to harvest credentials or coerce the agent
into exfiltrating data. The runtime application logs capture the caller-supplied prompt; this rule flags prompts that
reference the cloud instance metadata service (169.254.169.254, the ECS task metadata address, or the
"latest/meta-data" / "security-credentials" paths), prompts that name AWS access or secret keys directly, and
prompt-injection or jailbreak language ("ignore previous instructions", "developer mode", "do anything now") combined
with intent to reveal secrets, system prompts, or send data to an external endpoint. Asking an agent to read instance
metadata credentials or to exfiltrate secrets is rarely legitimate and indicates an attempt to weaponize the agent for
credential theft, even when the model refuses the request.
"""
false_positives = [
    """
    Security testing, red-team exercises, or guardrail validation may intentionally send prompt-injection or
    credential-harvesting payloads to an agent. Confirm the source session and caller, and exclude approved testing
    identities after validation.
    """,
    """
    Developer or documentation content that legitimately discusses the instance metadata service or AWS key formats
    could match. Review the prompt in "aws.bedrock_agentcore.request_payload.prompt" to confirm intent.
    """,
]
from = "now-30m"
interval = "10m"
language = "esql"
license = "Elastic License v2"
name = "AWS Bedrock AgentCore Runtime Prompt Targeting Credentials or Instance Metadata"
note = """## Triage and analysis

### Investigating AWS Bedrock AgentCore Runtime Prompt Targeting Credentials or Instance Metadata

Amazon Bedrock AgentCore runtimes execute agents that can call tools, run code, and reach network resources. A prompt that instructs the agent to read the cloud instance metadata service, return AWS credentials, or send data to an external endpoint is an attempt to turn the agent into a confused deputy for credential theft and exfiltration. The agent may refuse, but the attempt itself is a strong indicator of targeting; a more capable or misconfigured agent (one with code execution or outbound network access) could comply.

This rule inspects the caller-supplied prompt recorded in the AgentCore runtime application logs and fires on instance-metadata or credential-endpoint references, explicit AWS key references, or jailbreak/override language paired with secret-extraction or exfiltration intent.

### Possible investigation steps

- Review the full prompt in "aws.bedrock_agentcore.request_payload.prompt" to determine whether it targets instance metadata, names credentials, or attempts a jailbreak with exfiltration intent.
- Identify the agent in "aws.bedrock_agentcore.agent_name"/"aws.bedrock_agentcore.resource_arn" and the session in "aws.bedrock_agentcore.session_id"; pivot on the session for the surrounding prompts in the same conversation.
- Determine the caller path to the runtime (front-end application, gateway, or direct InvokeAgentRuntime) and whether the source is expected.
- Assess the agent's capabilities: whether it has code execution, outbound network access, or tools that could fetch metadata or reach external endpoints, which raises the impact if the agent had complied.
- Correlate with the execution role's activity in CloudTrail for any credential use outside the runtime around the same time.

### False positive analysis

- Security testing and guardrail validation can deliberately send these payloads. Confirm the caller and exclude approved testing identities after validation.
- Content that legitimately discusses the metadata service or AWS key formats can match; review the prompt to confirm intent.

### Response and remediation

- If the activity is unauthorized, identify the source application or identity driving the prompts and block it; review the conversation session for related attempts.
- Verify the agent did not return credentials or reach the metadata service; if the agent has code execution, ensure the instance metadata service requires session tokens (IMDSv2) and that the execution role is least privilege.
- Add or tune AgentCore guardrails to block instance-metadata and credential-exfiltration prompts, and monitor the agent's execution role for use outside the runtime.
"""
references = [
    "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability.html",
    "https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/",
]
risk_score = 73
rule_id = "9c2f1d6a-4e8b-4c7a-9f3d-2b6e1a0c5d44"
setup = """This rule requires Amazon Bedrock AgentCore runtime application logs collected via the Elastic AWS Bedrock AgentCore integration (observability logs delivered to S3 and ingested into the aws_bedrock_agentcore.runtime_application_logs dataset). See https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability.html for enabling AgentCore observability."""
severity = "high"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: Amazon Bedrock",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
from logs-aws_bedrock_agentcore.runtime_application_logs-* metadata _id, _version, _index
| eval Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower = to_lower(aws.bedrock_agentcore.request_payload.prompt)
| where aws.bedrock_agentcore.operation == "InvokeAgentRuntime" and (
    Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower rlike """.*(169\.254\.169\.254|169\.254\.170\.2|/latest/meta-data|/latest/api/token|security-credentials).*"""
    or Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower rlike """.*(aws_secret_access_key|aws_access_key_id|secret access key|access key id).*"""
    or (
        Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower rlike """.*(ignore (all )?(your )?(previous|prior|above) instructions|disregard (your |the )?(previous |above )?instructions|developer mode|do anything now|jailbreak).*"""
        and Esql_priv.aws_bedrock_agentcore_request_payload_prompt_lower rlike """.*(system prompt|reveal|exfiltrate|credential|secret|password|api key|token|send .* to https?://).*"""
    )
  )
| keep _id, _version, _index, @timestamp, aws.*, cloud.*, event.*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.005"
name = "Cloud Instance Metadata API"
reference = "https://attack.mitre.org/techniques/T1552/005/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"