Bedrock API keys are evaluated for lifetime and expiration.
The finding identifies keys that are long-lived, set to expire far in the future, or configured to never expire, and distinguishes them from keys that have already expired.
Risk
Long-lived or non-expiring keys enable persistent access if compromised.
- Confidentiality: unauthorized inference and exposure of prompts/outputs
- Availability/Cost: uncontrolled usage and spend spikes
- Integrity: actions can continue without timely revocation or rotation
prowler aws --checks bedrock_api_key_no_long_term_credentials
Recommendation
Prefer short-term credentials and IAM roles; avoid never expire.
Enforce least privilege, strict rotation, and automatic expiration for any long-term key. Store secrets securely, monitor with audit logs, and revoke unused or stale keys quickly.
Remediation
aws iam delete-service-specific-credential --user-name <username> --service-specific-credential-id <credential-id>
- Sign in to the AWS Management Console and open IAM
- Go to Users > select <example_resource_name> > Security credentials
- In "API keys for Amazon Bedrock", find the non-expired key and click Delete
- Confirm deletion to remove the key (removes the long-term credential so the check passes)
Source Code
Resource Type
AwsIamUser