Skip to content
Threat Feed
medium advisory

Detecting Hostile Prompt Sentiment in AWS Bedrock Claude

This brief outlines the detection of hostile or aggressive prompt sentiment sent to AWS Bedrock Claude large language models, indicating potential abuse, harassment, or attempts at model manipulation, requiring the configuration of Bedrock model invocation logging and Splunk ingestion.

This threat brief details a method for detecting hostile or aggressive sentiment within prompts submitted to AWS Bedrock Claude large language models. Such prompts can signify potential abuse, harassment, or other malicious intentions, including attempts to bypass safety filters or manipulate model behavior. The detection mechanism analyzes Bedrock model invocation logs for specific keywords and phrases indicative of hostility, assigning a risk score to classify prompts. Organizations leveraging AWS Bedrock with Claude models should implement comprehensive logging of model invocations to capture prompt payloads and integrate these logs into their security monitoring platforms like Splunk, enabling early identification of suspicious interactions and potential misuse of generative AI capabilities.

Impact

The impact of hostile prompt sentiment can range from reputational damage to the AI service provider and the organization deploying the models, to operational disruptions and potential data exfiltration or policy violations if attackers successfully coerce the model. Continuous harassment can degrade the user experience for legitimate users and may incur unnecessary compute costs. In scenarios where prompts are designed to bypass safety filters, it could lead to the generation of harmful, biased, or inappropriate content, or even facilitate sensitive information disclosure through sophisticated prompt injection techniques. Unchecked hostile interactions can undermine trust in AI systems and lead to compliance issues.

Recommendation

  • Configure Amazon Bedrock model invocation logging to deliver Claude request/response payloads to S3 and/or CloudWatch Logs as detailed in the AWS documentation (https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html).
  • Ensure these Bedrock model invocation logs are ingested into your SIEM, like Splunk, by installing and configuring the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876).
  • Deploy the Detect Hostile Prompts in AWS Bedrock Claude Sigma rule to your SIEM and tune it for your specific environment, accounting for known false positives related to role-playing or legitimate testing.
  • Review any alerts generated by the Detect Hostile Prompts in AWS Bedrock Claude rule to determine if the detected prompt represents actual hostile intent or a benign usage pattern based on context.

Detection coverage 1

Detect Hostile Prompts in AWS Bedrock Claude

medium

Detects prompts with hostile or aggressive sentiment sent to AWS Bedrock Claude models, indicative of potential abuse, harassment, or malicious intent against the LLM.

sigma sources: api_call, aws.bedrock

Detection queries are available on the platform. Get full rules →