EXPLORE
← Back to Explore
elastichighTTP

AWS Bedrock AgentCore Runtime Prompt Containing Credentials

Identifies prompts sent to an Amazon Bedrock AgentCore runtime that contain AWS access key identifiers (AKIA long-term or ASIA temporary/STS), Amazon Bedrock API keys (ABSK bearer tokens), or PEM-encoded private keys. The runtime application logs record the caller-supplied prompt; credentials embedded in a prompt are exposed to the model provider, persisted in observability logs, and may be returned in completions or used by downstream tools. This commonly indicates accidental secret leakage by a user or application, or an attempt to stage credentials for misuse through the agent. Secrets should never be passed to an agent in clear text.

MITRE ATT&CK

credential-access

Detection Query

from logs-aws_bedrock_agentcore.runtime_application_logs-* metadata _id, _version, _index
| where aws.bedrock_agentcore.operation == "InvokeAgentRuntime" and (
    aws.bedrock_agentcore.request_payload.prompt rlike """.*(AKIA|ASIA)[A-Z0-9]{16}.*"""
    or aws.bedrock_agentcore.request_payload.prompt rlike """.*-----BEGIN [A-Z ]*PRIVATE KEY-----.*"""
    or aws.bedrock_agentcore.request_payload.prompt rlike """.*ABSK[A-Za-z0-9+/=]{20}.*"""
    or aws.bedrock_agentcore.request_payload.prompt rlike """.*bedrock-api-key-[-A-Za-z0-9+/=._~:]{20,}.*"""
  )
| keep _id, _version, _index, @timestamp, aws.*, cloud.*, event.*

Author

Elastic

Created

2026/07/08

Data Sources

AWSAmazon Web ServicesAmazon Bedrock

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: Amazon BedrockUse Case: Threat DetectionTactic: Credential AccessResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/07/08"
integration = ["aws_bedrock_agentcore"]
maturity = "production"
updated_date = "2026/07/08"

[rule]
author = ["Elastic"]
description = """
Identifies prompts sent to an Amazon Bedrock AgentCore runtime that contain AWS access key identifiers (AKIA long-term
or ASIA temporary/STS), Amazon Bedrock API keys (ABSK bearer tokens), or PEM-encoded private keys. The runtime application logs record the caller-supplied prompt; credentials
embedded in a prompt are exposed to the model provider, persisted in observability logs, and may be returned in
completions or used by downstream tools. This commonly indicates accidental secret leakage by a user or application,
or an attempt to stage credentials for misuse through the agent. Secrets should never be passed to an agent in clear
text.
"""
false_positives = [
    """
    Documentation, examples, or test content may include sample key material. Confirm whether the key is live by
    reviewing "aws.bedrock_agentcore.request_payload.prompt" and the originating session and application.
    """,
]
from = "now-30m"
interval = "10m"
language = "esql"
license = "Elastic License v2"
name = "AWS Bedrock AgentCore Runtime Prompt Containing Credentials"
note = """## Triage and analysis

### Investigating AWS Bedrock AgentCore Runtime Prompt Containing Credentials

Amazon Bedrock AgentCore runtime application logs capture the prompt supplied to the agent. When that prompt contains an AWS access key (AKIA/ASIA) or a PEM private key, the secret is exposed to the model provider and stored in observability logs, and it may be echoed in completions or consumed by the agent's tools. This usually reflects accidental leakage but can also be an attempt to stage credentials for abuse through the agent.

### Possible investigation steps

- Review "aws.bedrock_agentcore.request_payload.prompt" to identify the credential material and determine whether it is live.
- Identify the agent in "aws.bedrock_agentcore.agent_name"/"aws.bedrock_agentcore.resource_arn" and the conversation in "aws.bedrock_agentcore.session_id"; review surrounding prompts in the session.
- Determine the source application or identity invoking the runtime and whether passing secrets was intentional.
- If the key is an AWS access key, identify the IAM principal it belongs to and review its recent activity in CloudTrail for misuse.

### False positive analysis

- Sample or documentation key material can match. Confirm whether the credential is live before escalating.

### Response and remediation

- If the credential is live, rotate or revoke it immediately and review its activity for unauthorized use.
- Remove the secret from any retained logs or conversation stores where feasible, and notify the owning team.
- Educate users and applications to never pass secrets to agents in clear text, and consider input filtering or guardrails that block credential patterns.
"""
references = [
    "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability.html",
]
risk_score = 73
rule_id = "b3e1f7a2-9d4c-4e8a-8f2b-1c6d5a0e3f77"
setup = """This rule requires Amazon Bedrock AgentCore runtime application logs collected via the Elastic AWS Bedrock AgentCore integration (observability logs delivered to S3 and ingested into the aws_bedrock_agentcore.runtime_application_logs dataset). See https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability.html for enabling AgentCore observability."""
severity = "high"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: Amazon Bedrock",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
from logs-aws_bedrock_agentcore.runtime_application_logs-* metadata _id, _version, _index
| where aws.bedrock_agentcore.operation == "InvokeAgentRuntime" and (
    aws.bedrock_agentcore.request_payload.prompt rlike """.*(AKIA|ASIA)[A-Z0-9]{16}.*"""
    or aws.bedrock_agentcore.request_payload.prompt rlike """.*-----BEGIN [A-Z ]*PRIVATE KEY-----.*"""
    or aws.bedrock_agentcore.request_payload.prompt rlike """.*ABSK[A-Za-z0-9+/=]{20}.*"""
    or aws.bedrock_agentcore.request_payload.prompt rlike """.*bedrock-api-key-[-A-Za-z0-9+/=._~:]{20,}.*"""
  )
| keep _id, _version, _index, @timestamp, aws.*, cloud.*, event.*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"