AWS Bedrock Agent Created by IAM User or Root

Status: production
Severity: low
Time window: 6m
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies AWS Bedrock Agent creation performed directly by an IAM user or the root account. Bedrock Agents are autonomous AI systems that execute multi-step tasks, invoke Lambda action groups to call external APIs, and query knowledge bases. Adversaries with access to an AWS account can create rogue agents configured to exfiltrate data via action group Lambda functions, pivot to other services, or act as a persistent AI-driven command-and-control channel. This rule is scoped to IAMUser and Root identity types — AssumedRole sessions (which represent automated CI/CD pipelines and SSO-federated engineers) are excluded to avoid global false positives from legitimate deployment automation that varies widely across customer environments.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1505` Server Software Component

Event coverage

Provider	Event
AWS-bedrock	CreateAgent

Rule body elastic

[metadata]
creation_date = "2026/06/04"
integration = ["aws"]
maturity = "production"
updated_date = "2026/06/04"

[rule]
author = ["Elastic"]
description = """
Identifies AWS Bedrock Agent creation performed directly by an IAM user or the root account. Bedrock Agents are
autonomous AI systems that execute multi-step tasks, invoke Lambda action groups to call external APIs, and query
knowledge bases. Adversaries with access to an AWS account can create rogue agents configured to exfiltrate data via
action group Lambda functions, pivot to other services, or act as a persistent AI-driven command-and-control channel.
This rule is scoped to IAMUser and Root identity types — AssumedRole sessions (which represent automated CI/CD pipelines
and SSO-federated engineers) are excluded to avoid global false positives from legitimate deployment automation that
varies widely across customer environments.
"""
false_positives = [
    """
    Developers or administrators creating Bedrock agents interactively using personal IAM user credentials. This is the
    intended detection surface — validate the identity against known developer accounts and confirm the agent
    configuration (instruction, action groups, model) matches a known project.
    """,
]
from = "now-6m"
index = ["logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS Bedrock Agent Created by IAM User or Root"
note = """## Triage and analysis

### Investigating AWS Bedrock Agent Created by IAM User or Root

AWS Bedrock Agents can autonomously perform complex tasks by combining foundation models with action groups
(Lambda functions) and knowledge bases. A rogue agent could serve as a persistent AI-driven foothold, executing
attacker-controlled instructions via inference requests.

#### Possible investigation steps

- **Identity**: `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`. This rule fires only
  for IAMUser or Root — both are direct human credentials, not automated pipeline roles. Confirm the user is
  known and authorized to create agents.

- **Agent configuration** in `aws.cloudtrail.request_parameters`:
  - `agentName` — does the name match known internal projects?
  - `foundationModel` — which model was selected? Expensive models (Claude Opus-class) indicate higher cost risk.
  - `instruction` — the system prompt. Adversarial, minimal, or exfiltration-oriented instructions are a red flag.
  - `actionGroupExecutor.lambda` — Lambda ARN presence means the agent can invoke external code.

- **Cross-account indicators**: Lambda ARNs in action groups belonging to a different account than
  `cloud.account.id` indicate external code execution capability.

- **Follow-on activity**: Look for `PrepareAgent`, `CreateAgentAlias`, `CreateAgentActionGroup`, or
  `AssociateAgentKnowledgeBase` from the same identity within the next hour.

### False positive analysis
- Developers creating agents interactively with personal IAM user credentials. Confirm the agent is for a known
  project and the IAM user is authorized. Production agent deployment should use IAM roles — personal key use
  is itself a misconfiguration worth noting.

### Response and remediation
- Delete the unauthorized agent using `DeleteAgent`.
- Review and remove associated action groups and aliases.
- Audit Lambda functions referenced in action group executors for malicious code.
- Restrict `bedrock:CreateAgent` to specific deployment roles via IAM policy or SCP.
"""
references = [
    "https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html",
    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgent.html",
]
risk_score = 21
rule_id = "4e2dcdf4-f012-4b67-980b-1551b7149305"
severity = "low"
tags = [
    "Domain: Cloud",
    "Domain: LLM",
    "Data Source: AWS",
    "Data Source: AWS CloudTrail",
    "Data Source: Amazon Web Services",
    "Data Source: Amazon Bedrock",
    "Use Case: Threat Detection",
    "Tactic: Persistence",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "bedrock.amazonaws.com"
    and event.action: "CreateAgent"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: ("IAMUser" or "Root")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "user.name",
    "user_agent.original",
    "source.ip",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
    "cloud.region",
    "aws.cloudtrail.request_parameters",
    "aws.cloudtrail.response_elements",
]

Stages and Predicates

Stage 1: `query`

data_stream.dataset: "aws.cloudtrail"
    and event.provider: "bedrock.amazonaws.com"
    and event.action: "CreateAgent"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: ("IAMUser" or "Root")

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`aws.cloudtrail.user_identity.type`	in	`IAMUser` `Root`
`data_stream.dataset`	eq	`aws.cloudtrail`
`event.action`	eq	`CreateAgent`
`event.outcome`	eq	`success`
`event.provider`	eq	`bedrock.amazonaws.com`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

AWS Bedrock Agent Created by IAM User or Root

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: `query`

Indicators

Keyboard shortcuts

Search operators

AWS Bedrock Agent Created by IAM User or Root

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: query

Indicators

Stage 1: `query`