AWS Bedrock GuardRails Deletion Attempt
Detection of attempts to delete AWS Bedrock GuardRails, security controls that prevent harmful AI outputs, via the DeleteGuardrail API in AWS CloudTrail logs, potentially indicating an adversary attempting to remove these safeguards after compromising credentials to manipulate model behavior for malicious purposes.
This threat brief addresses the risk associated with the deletion of AWS Bedrock GuardRails. AWS Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies. GuardRails are security controls within Bedrock designed to prevent the generation of harmful, biased, or inappropriate content. This brief focuses on the detection of DeleteGuardrail API calls within AWS CloudTrail logs, as these actions could signify a malicious actor attempting to disable these safeguards. Monitoring for this activity is crucial as compromised credentials could allow adversaries to manipulate AI model outputs for malicious purposes, such as extracting sensitive information, generating offensive content, or bypassing security controls. The impact of successful GuardRail deletion can range from data leakage to the deployment of AI-driven attacks.
Attack Chain
- Initial Access: An attacker gains unauthorized access to an AWS account, potentially through compromised credentials obtained via phishing or credential stuffing.
- Privilege Escalation (if needed): The attacker escalates privileges within the AWS account to gain the necessary permissions to manage Bedrock GuardRails.
- Discovery: The attacker uses AWS CLI or the AWS Management Console to discover existing GuardRails within the Bedrock service.
- Disable Logging (optional): The attacker attempts to disable or modify CloudTrail logging configurations to evade detection of their activities. This step may involve modifying CloudTrail settings via the AWS API or console.
- GuardRail Deletion: The attacker calls the
DeleteGuardrailAPI in the AWS Bedrock service, specifying theguardrailIdentifierof the GuardRail to be removed. - Verify Deletion: The attacker verifies the successful deletion of the GuardRail by checking the AWS Bedrock configuration.
- Malicious Model Interaction: With the GuardRails removed, the attacker interacts with the Bedrock models to generate harmful or biased outputs, exfiltrate sensitive information, or perform other malicious activities.
- Lateral Movement/Exfiltration: The attacker may use the generated content or exfiltrated data to further compromise the environment or achieve their objectives.
Impact
The successful deletion of AWS Bedrock GuardRails can have significant consequences. If an attacker successfully removes these safeguards, they can manipulate AI model outputs to generate harmful or biased content, extract sensitive information, or bypass security controls designed to prevent prompt injection and other AI-specific attacks. The potential damage includes reputational damage, data breaches, and the deployment of AI-driven attacks, depending on the sensitivity of the data processed by the Bedrock models and the attacker's objectives. The number of affected users or systems can vary depending on the scope of the attacker's access and the criticality of the compromised AI models.
Recommendation
- Enable and monitor AWS CloudTrail logs for all AWS accounts, focusing on
bedrock.amazonaws.comandDeleteGuardrailevents to detect unauthorized GuardRail deletions. - Deploy the provided Sigma rule (
AWS Bedrock GuardRail Deletion) to detect instances of theDeleteGuardrailAPI call within AWS CloudTrail logs. - Implement strict IAM policies with the principle of least privilege, limiting the users and roles that have permissions to modify or delete Bedrock GuardRails.
- Establish an allowlist of expected administrators who regularly manage GuardRails configurations and adjust the Sigma rule (
AWS Bedrock GuardRail Deletion) accordingly. - Monitor AWS Config for changes to CloudTrail configurations that could indicate attempts to disable or modify logging to evade detection.
Detection coverage 2
AWS Bedrock GuardRail Deletion
highDetects attempts to delete AWS Bedrock GuardRails via the DeleteGuardrail API call in AWS CloudTrail logs.
AWS CloudTrail Logging Disabled or Modified
mediumDetects attempts to disable or modify AWS CloudTrail logging configurations, which may indicate an attacker trying to evade detection.
Detection queries are available on the platform. Get full rules →