Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Long-Term API Keys

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that long-term Amazon Bedrock API keys are detected and removed from your AWS account in order to prevent persistent credential exposure risks, as these keys have been observed leaking to public repositories and represent a critical security vulnerability.

Security

Programmatic access to the API requires authentication with AWS credentials. Amazon Bedrock enables you to generate dedicated API keys, which can be used as credentials when issuing API requests. These keys can be seamlessly integrated into your setup for automatic recognition. Amazon Bedrock offers two types of API keys: short-term and long-term keys. Short-term keys are valid for up to 12 hours or the length of your generating IAM session, inheriting that principal's permissions and restricted to the creation region. They are the preferred choice for production due to their limited lifespan, enabling regular credential rotation for greater security. In contrast, long-term keys offer a quick, one-click option for basic API access, ideal for first-time users exploring Bedrock without immediate IAM configuration. Users should favor short-term keys because they significantly reduce the security risk and the potential "blast radius" of a compromise, aligning with AWS security best practices that mandate temporary credentials over static, long-lived ones whenever possible. This preference ensures better overall security posture by minimizing exposure time.

Audit

To determine if long-term Amazon Bedrock API keys are available in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the left navigation panel, under Discover, select API keys.

04 Select the Long-term API keys tab and check the Long-term API keys section to determine if long-term API keys were generated for authentication to the Bedrock API. If one or more active API keys are listed in this section, long-term Amazon Bedrock API keys are available within your AWS cloud account. An active API key has the Status set to Active.

Using AWS CLI

01 Run iam list-service-specific-credentials command (OSX/Linux/UNIX) to list all the long-term Amazon Bedrock API keys available within your AWS cloud account: 

aws iam list-service-specific-credentials
	--service-name bedrock.amazonaws.com
	--all-users

02 The command output should return the requested service-specific information: 

{
	"ServiceSpecificCredentials": [
		{
			"UserName": "BedrockAPIKey-abcd",
			"Status": "Active",
			"ServiceCredentialAlias": "BedrockAPIKey-abcd-at-123456789012",
			"CreateDate": "2025-10-01T11:00:00+00:00",
			"ExpirationDate": "2026-10-01T11:00:00+00:00",
			"ServiceSpecificCredentialId": "ABCD1234ABCD1234ABCD1",
			"ServiceName": "bedrock.amazonaws.com"
		},
		{
			"UserName": "BedrockAPIKey-1234",
			"Status": "Active",
			"ServiceCredentialAlias": "BedrockAPIKey-1234-at-123456789012",
			"CreateDate": "2025-09-16T10:34:57+00:00",
			"ExpirationDate": "2125-12-16T10:34:57+00:00",
			"ServiceSpecificCredentialId": "1234ABCD1234ABCD1234A",
			"ServiceName": "bedrock.amazonaws.com"
		}
	]
}

If the iam list-service-specific-credentials command output returns one or more entries for the ServiceSpecificCredentials property, check the "Status" attribute value for each entry (i.e., API key) to determine the key status. If one or more active API keys are returned by the iam list-service-specific-credentials command output, as shown in the example above, long-term Amazon Bedrock API keys are available within your AWS cloud account. An active API key has the "Status" set to "Active".

Remediation / Resolution

To prevent credential exposure, remove the long-term Amazon Bedrock API keys from your AWS account. To delete the long-term API keys, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the left navigation panel, under Discover, select API keys.

04 Select the Long-term API keys tab to access the long-term API keys generated for authentication to the Bedrock API.

05 Select the long-term Amazon Bedrock API key that you want to remove, choose Actions, and select Delete. Inside the Delete \ box, type Confirm in the input text field, and choose Delete to remove the long-term API key from your AWS account. (Optional) AWS recommends the deletion of the IAM user owning the API key if the user is not required for other operations. To remove the associated IAM user, choose Delete user in IAM, select Delete from the top-right menu, type confirm to confirm the removal, and choose Delete user to remove the associated IAM user.

06 Repeat step no. 5 to remove all long-term Amazon Bedrock API keys from your AWS account.

Using AWS CLI

01 Run iam delete-service-specific-credential command (OSX/Linux/UNIX) to remove the specified long-term Amazon Bedrock API key from your AWS cloud account (the command does not produce an output). Run the iam list-service-specific-credentials command, as shown in the Audit section, to get the service-specific credential ID and the name of the associated IAM user: 

aws iam delete-service-specific-credential
	--user-name BedrockAPIKey-abcd
	--service-specific-credential-id ABCD1234ABCD1234ABCD1

02 (Optional) AWS recommends the deletion of the IAM user owning the API key if the user is not required for other operations. Run iam detach-user-policy command (OSX/Linux/UNIX) to detach the managed policy attached to the associated IAM user at creation (i.e., AmazonBedrockLimitedAccess policy): 

aws iam detach-user-policy
	--user-name BedrockAPIKey-abcd
	--policy-arn arn:aws:iam::aws:policy/AmazonBedrockLimitedAccess

03 (Optional) Run iam delete-user command (OSX/Linux/UNIX) to remove the IAM user associated with the specified long-term Amazon Bedrock API key from your AWS cloud account (the command does not produce an output): 

aws iam delete-user
	--user-name BedrockAPIKey-abcd

04 Repeat steps no. 1 - 3 to remove all long-term Amazon Bedrock API keys from your AWS account.

References

Publication date Oct 3, 2025

Related Bedrock rules