Amazon Bedrock API key does not have administrative privileges, privilege escalation paths, or full Bedrock service access
bedrock_api_key_no_administrative_privileges
Bedrock API keys linked to IAM users are evaluated for excessive permissions, including policies that grant full access (* or bedrock:*) or enable privilege escalation. The finding highlights keys whose attached or inline policies provide broad or escalating capabilities.
Risk
Over-privileged Bedrock API keys weaken confidentiality, integrity, and availability. If compromised, an attacker could:
- Escalate IAM rights and persist access
- Invoke models at scale to exfiltrate data or incur high costs
- Modify Bedrock settings, disrupting operations
prowler aws --checks bedrock_api_key_no_administrative_privileges
Recommendation
Enforce least privilege on Bedrock keys:
- Avoid wildcards like
*andbedrock:*; allow only required actions - Prevent identity changes by disallowing
iam:* - Prefer short-term credentials with rotation and MFA
- Use permissions boundaries and SCPs as guardrails
- Review usage and tighten policies via access analysis
Remediation
aws iam delete-service-specific-credential --user-name <username> --service-specific-credential-id <credential-id>
- Open the AWS Console and go to IAM > Users
- Select the user that owns the Bedrock service-specific credential (Security credentials > Service-specific credentials shows bedrock.amazonaws.com)
- In the Permissions tab, detach any policy granting AdministratorAccess or bedrock:* (e.g., AmazonBedrockFullAccess)
- In the same tab, delete any inline policy that provides admin/privilege-escalation permissions or bedrock:* access
- If Bedrock access is needed, add a minimal policy allowing only bedrock:InvokeModel
- Save changes
Source Code
Resource Type
AwsIamAccessKey