Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when there is an attempt to access console-only API calls with an access key.

Strategy

Monitor CloudTrail and detect when there is an attempt to make API calls to console-only APIs. This means they shouldn’t be originating from a long-term access key. Attackers target the AWS Bedrock service generally for the purpose of hosting their own LLM service using the victim’s resources.

Triage and response

1. Determine if the API call ({{@evt.name}}) should have been made by the user ({{@userIdentity.arn}}) from this IP address ({{@network.client.ip}}).
2. If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
3. If the action shouldn’t have happened:
   • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
   • Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
   • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
4. If the results of the triage indicate that an attacker has taken the action, initiate your company’s incident response process, as well as an investigation.

Changelog

• 11 Dec 2024 - Add case for temporary credentials.
• 6 October 2025 - Search for Bedrock-specific long term access keys