Potential Cross-Region Inference Abuse in AWS Bedrock Claude
This threat brief details the potential for malicious actors to exploit AWS Bedrock Claude models by performing cross-region inference with high input token counts, indicating attempts to bypass regional restrictions, exfiltrate sensitive data, or conduct unauthorized actions across different AWS regions.
Malicious actors may be exploiting AWS Bedrock Claude models to perform cross-region inference abuse, a technique that allows them to bypass regional data residency policies and exfiltrate sensitive information. This activity is detected when a user or compromised entity invokes an Amazon Bedrock Claude model from a different AWS region than the one where the request originated, particularly when accompanied by a high volume of input tokens (e.g., 2000 or more). This method could be used to process and extract confidential data from a region with strict residency requirements by sending it to a model hosted in a more permissive region. The detection, first published in July 2026, aims to identify these unusual inference patterns that could signify unauthorized data movement or policy evasion.
Attack Chain
- Initial Access: An attacker gains unauthorized access to an AWS account, potentially through compromised credentials, API keys, or an exploited EC2 instance with Bedrock permissions.
- Reconnaissance/Environment Setup: The attacker identifies available AWS regions and the presence of AWS Bedrock services within the target account.
- Cross-Region Session Establishment: The attacker establishes an authenticated session in an AWS region (e.g.,
us-east-1) where the compromised credentials are valid or the source data resides. - Bedrock Model Invocation (Cross-Region): The attacker then invokes an AWS Bedrock Claude model, but explicitly specifies an
inferenceRegion(e.g.,eu-west-1) that is different from the originatingregionof their current session. - Sensitive Data Injection: The attacker feeds a large volume of sensitive or proprietary data (indicated by high
input.inputTokenCount) into the Bedrock Claude model for processing, analysis, or summarization. - Data Exfiltration/Bypass: The model processes the input, and the resulting output (potentially summarized or reformulated sensitive data) is returned to the attacker's control, effectively bypassing regional data residency policies or exfiltrating information.
- Post-Exploitation/Cleanup: The attacker may delete logs, modify permissions, or continue to leverage the cross-region inference for further unauthorized activities or to maintain persistence.
Impact
If cross-region inference abuse in AWS Bedrock Claude models goes undetected, organizations face severe risks, including the potential for significant data exfiltration, violation of data residency regulations (e.g., GDPR, HIPAA), and unauthorized access to intellectual property. This can lead to substantial financial penalties, reputational damage, and loss of competitive advantage. While no specific victim counts are available, any organization utilizing AWS Bedrock with sensitive data, especially those operating under strict regional compliance, is a potential target. The successful exfiltration of data through this method can be difficult to trace as it leverages legitimate cloud services.
Recommendation
- Enable Bedrock Invocation Logging: Immediately enable Amazon Bedrock model invocation logging for all Claude models in AWS, ensuring request/response payloads are delivered to S3 and/or CloudWatch Logs as detailed in the AWS documentation (https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html).
- Ingest Logs to SIEM: Configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876) or equivalent SIEM logging to ingest AWS Bedrock model invocation logs into your security information and event management (SIEM) platform.
- Deploy and Tune Detection Rule: Deploy the
AWS Bedrock Claude Possible Cross-Region Inference Abuse (High Tokens)Sigma rule or its equivalent logic to your SIEM. Tune theinput.inputTokenCountthreshold for your environment and ensure correlation logic is implemented to identify events whereregionis not equal toinferenceRegion. - Investigate Alerts: Establish a robust incident response process to promptly investigate all alerts generated by the
AWS Bedrock Claude Possible Cross-Region Inference Abuse (High Tokens)detection, prioritizing those with a clearregion != inferenceRegionmismatch.
Detection coverage 1
AWS Bedrock Claude Possible Cross-Region Inference Abuse (High Tokens)
highDetects potential cross-region inference abuse in AWS Bedrock Claude models by identifying invocations with high input token counts (>=2000) where the 'region' and 'inferenceRegion' fields are present. This rule flags high-volume Bedrock activity; a critical next step for detection engineers is to correlate these events and filter for instances where 'region' is NOT equal to 'inferenceRegion' in their SIEM, as direct field comparison is not standard Sigma.
Detection queries are available on the platform. Get full rules →