This issue has been assessed as high severity. Review affected configurations immediately.
AI API keys are not like other API keys. When a traditional API key is stolen, the attacker can read or write data depending on its scope. When an LLM API key is stolen, the attacker can burn thousands of pounds of compute budget in hours, extract internal context through model interactions, and use your AI infrastructure as a platform for their own operations — all while the usage appears in your billing as legitimate inference traffic.
The attack surface is also expanding quickly. Every enterprise AI deployment connecting to a managed LLM endpoint — whether AWS Bedrock, Azure OpenAI, or GCP Vertex AI — introduces these credentials into environments that weren’t designed with AI-specific threats in mind. This guide covers the hardening steps for each major cloud provider.
Why LLM API Key Theft Is Different
Standard API key theft has a defined blast radius: scope what the key can do, and you know the worst-case outcome. LLM API keys have a more fluid threat model.
Cost amplification: A single GPT-4 or Claude API key with no spend limits can exhaust a monthly budget in hours through automated prompt generation. Attackers running jailbreak-as-a-service operations or training data extraction operations pay nothing for their compute.
Data exfiltration via model context: If your application sends internal data to the LLM as context — customer records, documents, code — an attacker with your API key can replay prompts that extract those context windows. This is particularly relevant for retrieval-augmented generation (RAG) architectures where document stores are passed to the model.
Model manipulation and prompt injection pivot: Attackers with API access can probe your model’s system prompt configuration, identify prompt injection vulnerabilities, and use this to attack downstream users of your AI application.
Shared infrastructure abuse: LLM APIs are rate-limited per-key, not per-user. Stolen keys get the full rate limit allocation, which attackers exploit for high-volume abuse campaigns.
AWS Bedrock
IAM Scoping
Bedrock follows standard AWS IAM, but the action namespace requires specific attention.
Restrict policies to specific model ARNs rather than bedrock:*:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:eu-west-2::foundation-model/anthropic.claude-sonnet-4-6-20250514-v1:0"
]
}
]
}
Avoid granting bedrock:CreateModelCustomizationJob, bedrock:DeleteFoundationModelAgreement, or any administrative actions to application runtime roles.
Preventing Credential Exposure
The most common theft vector for Bedrock credentials is exposure of IAM credentials in application code or CI/CD pipelines. Use instance metadata service (IMDSv2) for EC2 deployments, task roles for ECS/Fargate, and Pod Identity for EKS — never static access keys in your application environment.
# Verify IMDSv2 is enforced on all EC2 instances
aws ec2 describe-instances \
--query 'Reservations[].Instances[?MetadataOptions.HttpTokens!=`required`].[InstanceId]' \
--output text
Monitoring for Inference Abuse
CloudWatch Bedrock metrics don’t surface anomalous usage patterns well out of the box. Enable Bedrock model invocation logging to CloudWatch Logs and set an alarm on invocation count:
aws cloudwatch put-metric-alarm \
--alarm-name "BedrockInvocationSpike" \
--metric-name "Invocations" \
--namespace "AWS/Bedrock" \
--statistic Sum \
--period 300 \
--evaluation-periods 2 \
--threshold 500 \
--comparison-operator GreaterThanThreshold \
--alarm-actions arn:aws:sns:eu-west-2:123456789012:security-alerts
Set AWS Budgets alerts for Bedrock service spend with a low threshold — anomalous AI inference shows up immediately in cost data before it appears in security logs.
Guardrails for Data Containment
Bedrock Guardrails can detect and block sensitive data patterns in prompts and responses. Configure a guardrail that blocks PII from appearing in model responses:
{
"sensitiveInformationPolicyConfig": {
"piiEntitiesConfig": [
{"type": "UK_NHS_NUMBER", "action": "BLOCK"},
{"type": "EMAIL", "action": "ANONYMIZE"},
{"type": "CREDIT_DEBIT_CARD_NUMBER", "action": "BLOCK"}
]
}
}
This won’t prevent an attacker with your key from invoking the model, but it limits data exfiltration through model responses in RAG architectures.
Azure OpenAI
Resource-Level IAM
Azure OpenAI uses Azure RBAC with a custom role system. For application access, use Cognitive Services OpenAI User rather than Cognitive Services OpenAI Contributor — the Contributor role can create and delete deployments, which an attacker would use to spin up new model deployments in your resource.
Assign roles to managed identities, not to users or service principals with client secrets:
az role assignment create \
--assignee <managed-identity-object-id> \
--role "Cognitive Services OpenAI User" \
--scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<aoai-resource>
Network Restriction
Lock Azure OpenAI resources to private endpoints and remove public network access for production deployments:
az cognitiveservices account update \
--name <aoai-resource> \
--resource-group <rg> \
--public-network-access Disabled
This prevents the majority of stolen-key abuse scenarios — the attacker needs network access to the private endpoint, not just the credential.
Key Rotation
Azure OpenAI resources have two API keys (key1 and key2) to support zero-downtime rotation. Rotate on a schedule — preferably through Azure Key Vault with automatic rotation — rather than waiting for a suspected compromise:
# Regenerate key1, update applications to use key2 first
az cognitiveservices account keys regenerate \
--name <aoai-resource> \
--resource-group <rg> \
--key-name key1
Diagnostic Logging
Enable diagnostic settings to send Azure OpenAI audit logs to a Log Analytics workspace. This surfaces unusual request volumes, unexpected caller IPs, and model endpoint changes:
az monitor diagnostic-settings create \
--resource /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<aoai-resource> \
--name "aoai-audit-logs" \
--workspace <log-analytics-workspace-id> \
--logs '[{"category": "Audit", "enabled": true}]' \
--metrics '[{"category": "AllMetrics", "enabled": true}]'
GCP Vertex AI
Service Account Scoping
Vertex AI workloads should use Workload Identity Federation for GKE deployments — avoid downloading service account key files for production use. The roles/aiplatform.user role provides inference access without administrative capabilities.
gcloud projects add-iam-policy-binding <project-id> \
--member="serviceAccount:<sa-name>@<project-id>.iam.gserviceaccount.com" \
--role="roles/aiplatform.user"
Block key creation for AI service accounts via an organisation policy:
name: organizations/<org-id>/policies/iam.disableServiceAccountKeyCreation
spec:
rules:
- enforce: true
VPC Service Controls
Wrap Vertex AI within a VPC Service Control perimeter to prevent data exfiltration from model endpoints:
gcloud access-context-manager perimeters create vertex-ai-perimeter \
--policy=<access-policy> \
--resources=projects/<project-number> \
--restricted-services=aiplatform.googleapis.com \
--title="Vertex AI Perimeter"
This blocks API calls to Vertex AI from outside the defined perimeter, limiting the utility of stolen credentials without network access.
Monitoring with Cloud Audit Logs
Vertex AI operations are logged to Cloud Audit Logs under aiplatform.googleapis.com. Create a log-based metric for unusual prediction volume:
gcloud logging metrics create vertex-prediction-spike \
--description="Spike in Vertex AI prediction requests" \
--log-filter='protoPayload.serviceName="aiplatform.googleapis.com" AND protoPayload.methodName="PredictionService.Predict"'
Cross-Provider Hardening
Regardless of which AI provider you use, the following controls apply:
Spend alerts before security alerts. AI inference abuse shows up in cost data faster than in security logs. Set billing anomaly alerts at 150% of your typical daily spend with immediate notification to your security team. For AWS, GCP, and Azure this takes ten minutes to configure and is the fastest detection control available.
Rotate credentials on any suspected exposure. AI API keys should be treated like passwords — rotate immediately on any indication of exposure. Unlike database passwords, rotation is typically instant and zero-downtime with the two-key patterns all providers support.
Audit your RAG architecture for context bleed. If your application uses retrieval-augmented generation, map what data gets included in model context windows. Any data inserted into prompts can be extracted by an attacker with API access. Apply data classification to your retrieval pipeline and ensure personally identifiable or sensitive commercial data has appropriate access controls on the retrieval layer, not just the model layer.
Log prompt inputs, not just API calls. Standard API call logging tells you a request was made. For incident response, you need to know what was in the prompt. Enable extended logging that captures request content (with appropriate data handling controls) so you can reconstruct what an attacker was doing with your key.