The Phantom of the Infrastructure: Investigating the Hidden IAM Risks in Bedrock API Keys
Sergio Garcia
BSides Seattle 2026 · Day 2 · Track 1
Sergio Garcia, a security researcher at BeyondTrust and former founding engineer at Prowler, reveals a significant security design flaw in **Amazon Bedrock API Keys** -- a new credential type AWS launched in July 2025 to simplify AI development. When a user generates a long-term Bedrock API key, AWS silently creates a hidden IAM user (a "phantom user") with permissions far exceeding what the "limited access" policy name suggests, including admin-level Bedrock permissions and a full reconnaissance toolkit covering IAM roles, KMS keys, VPCs, subnets, and security groups.
AI review
Exceptional cloud security research that uncovers a significant design flaw in AWS Bedrock API keys: silent creation of persistent phantom IAM users with admin-level Bedrock permissions and network reconnaissance capabilities, disguised behind a 'limited access' policy name. Garcia delivers a complete package -- vulnerability discovery, key decoding methodology, attack chain demonstration, detection signatures, prevention SCPs, and open-source remediation tooling. The research already forced AWS to release new IAM condition keys in response.