Detecting Excessive AWS Bedrock Claude Token Usage
This detection identifies anomalous behavior in AWS Bedrock Claude where an identity generates excessively large model responses compared to its historical average, signaling potential bulk data exfiltration, successful prompt injection leading to verbose output, or a runaway agentic loop indicative of abuse or compromise of the large language model.
This brief details a detection focused on identifying anomalous usage patterns within AWS Bedrock Claude models. Specifically, it targets identities generating unusually large model responses, quantified by output token counts, relative to their own established historical baselines. This behavior can signify several malicious or abusive activities, including attempts at bulk data extraction, where an attacker coerces the model into outputting sensitive or large volumes of information. It also points to successful prompt injection attacks that manipulate the model into generating verbose, potentially sensitive, or out-of-scope content. Furthermore, it can highlight runaway agentic loops, which deplete resources and incur significant costs by hitting context limits. Such anomalies suggest potential compromise of AWS identities or misuse of the Bedrock service.
Attack Chain
- An attacker obtains unauthorized access to a legitimate AWS identity or service principal with permissions to invoke AWS Bedrock Claude models, likely through compromised credentials or misconfiguration.
- The compromised identity is used to submit queries or prompts to the Claude model within Amazon Bedrock.
- The attacker crafts malicious prompts designed to elicit verbose output, potentially using prompt injection techniques to bypass guardrails or extract information.
- Alternatively, the attacker uses the model for bulk data exfiltration, framing requests to generate extensive summaries, code, or other large-volume content.
- The Claude model processes these requests, resulting in responses where the
output_tokenscount is significantly higher than the typical historical maximum for that specific invoking identity. - AWS Bedrock's model invocation logging feature records these interactions, including the anomalously large
output_tokensin the request/response payloads. - These logs are collected and ingested into a security monitoring platform, which then applies statistical analysis to identify the identity whose single largest response exceeds a predefined threshold (e.g., two standard deviations above its mean).
- The sustained or repeated generation of excessive tokens facilitates data exfiltration or leads to significant cloud resource consumption and associated financial costs.
Impact
Successful exploitation or abuse through excessive token usage in AWS Bedrock Claude can lead to significant financial impact due to inflated cloud costs. More critically, it poses a severe data exfiltration risk, where attackers can leverage the generative capabilities of the LLM to extract sensitive information or intellectual property in large volumes from data the model has access to. Such activity also indicates a potential compromise of AWS identities, which could lead to further lateral movement within the cloud environment. While the number of direct victims from this specific method isn't publicly quantified, any organization utilizing AWS Bedrock with compromised credentials or vulnerable LLM integrations is at risk.
Recommendation
- Enable Amazon Bedrock model invocation logging to ensure
output_tokensdata is captured for analysis, as described in thehow_to_implementsection. - Configure logging of AWS Bedrock activities to be ingested into your SIEM, following the
how_to_implementguidance. - Implement identity and access management (IAM) best practices for AWS, including least privilege for Bedrock invocation roles, to mitigate initial access risks.
- Deploy anomaly detection analytics that specifically monitor
output_tokensfor Bedrock Claude usage to identify deviations from established baselines.