Skip to content
Threat Feed
medium advisory

AWS Bedrock Model Invocation Logging Deletion

Detection of AWS Bedrock model invocation logging configuration deletion via the DeleteModelInvocationLogging API in CloudTrail logs, potentially indicating an adversary attempting to evade detection of malicious AI model usage.

This threat brief focuses on the deletion of AWS Bedrock model invocation logging configurations, a critical security concern. The detection identifies attempts to remove audit trails by monitoring calls to the DeleteModelInvocationLoggingConfiguration API within AWS CloudTrail logs. This activity is significant because adversaries may try to cover their tracks after compromising credentials and using AI models for unauthorized purposes. The deletion of these logs can allow attackers to interact with AI models without being detected, enabling malicious activities such as data exfiltration, prompt injection attacks, or other harmful actions. Defenders must monitor for this behavior to ensure the integrity and auditability of their AI model interactions.

Attack Chain

  1. Initial Access: An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a vulnerability in the AWS environment.
  2. Privilege Escalation (Optional): The attacker may attempt to escalate privileges within the AWS account to gain the necessary permissions to manage Bedrock logging configurations.
  3. Discovery: The attacker identifies that AWS Bedrock model invocation logging is enabled and seeks to disable it to evade detection.
  4. Disable Logging: The attacker calls the DeleteModelInvocationLoggingConfiguration API to remove the existing logging configuration. This action is recorded in AWS CloudTrail.
  5. Malicious Model Interaction: With logging disabled, the attacker interacts with the AWS Bedrock models to conduct unauthorized activities such as data exfiltration, prompt injection, or other forms of malicious model exploitation.
  6. Data Exfiltration/Prompt Injection: The attacker uses the models to extract sensitive data or inject malicious prompts to manipulate the model's behavior for nefarious purposes.
  7. Evasion: The attacker avoids detection by ensuring that no logs are generated for these interactions.
  8. Persistence (Optional): The attacker may establish persistence mechanisms to maintain unauthorized access to the AWS environment for future exploitation.

Impact

The successful deletion of AWS Bedrock model invocation logging configurations can have significant consequences. By removing these audit trails, adversaries can operate undetected while interacting with AI models for malicious purposes. This can lead to data breaches, prompt injection attacks, or other harmful activities that are difficult to trace back to the attacker. While specific victim counts are unavailable, organizations across various sectors are potentially vulnerable if they utilize AWS Bedrock and do not adequately monitor for this type of activity. The impact includes potential financial losses, reputational damage, and legal liabilities.

Recommendation

  • Deploy the Sigma rule AWS Bedrock Delete Model Invocation Logging Configuration to your SIEM and tune it for your environment to detect the deletion of AWS Bedrock model invocation logging configurations (rules).
  • Implement strict access controls and multi-factor authentication to protect AWS accounts from unauthorized access, reducing the risk of credential compromise that leads to the described attack chain (Attack Chain).
  • Regularly review and audit AWS CloudTrail logs to identify any suspicious activities, including attempts to modify or delete logging configurations (logsource).
  • Configure alerts to trigger when the DeleteModelInvocationLoggingConfiguration API is called, and investigate any instances of this event (rules).

Detection coverage 2

AWS Bedrock Delete Model Invocation Logging Configuration

medium

Detects deletion of AWS Bedrock model invocation logging configurations via CloudTrail logs.

sigma tactics: defense_evasion techniques: T1562.008 sources: cloudtrail, aws

AWS Bedrock Logging Configuration Changes by Unusual User Agent

low

Detects changes to Bedrock logging configuration by unusual user agents which may indicate malicious activity.

sigma tactics: defense_evasion techniques: T1562.008 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →