Skip to content

Releases: BeyondTrust/bedrock-keys-security

v1.0.0

26 Feb 20:34
@MrCloudSec MrCloudSec
Immutable release. Only release title and notes can be modified.
v1.0.0
1171993
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0 Latest
Latest

Bedrock API Keys Security Toolkit

Security toolkit for AWS Bedrock API keys. Discover phantom IAM users, decode leaked keys, automate cleanup, and enforce preventive controls.

Why this exists

When a user creates a Bedrock API key, AWS silently provisions an IAM user (BedrockAPIKey-xxxx) with bedrock:, iam:ListRoles, kms:DescribeKey, and ec2:Describe permissions. These phantom users are never automatically cleaned up and create an expanding attack surface most organizations don't know exists.

Features

  • Scan your account for phantom IAM users and categorize risk (ACTIVE, ORPHANED, AT RISK)
  • Cleanup orphaned phantom users with dry-run support
  • Revoke compromised keys with an inline deny policy in a single operation
  • Timeline CloudTrail activity for incident response
  • Report full incident details for a specific phantom user
  • Decode leaked keys offline to extract account ID, username, and region
  • 4 Service Control Policies for organizational enforcement

Install

pip install bedrock-keys-security
bks --version

Quick start

bks scan                    # discover phantom users
bks scan --json             # machine-readable output
bks cleanup --dry-run       # preview cleanup
bks decode-key "ABSK..."   # decode a leaked key (offline)

Links

Assets 3
Loading