Skip to content
Threat Feed
medium advisory

AWS Bedrock Claude Possible Prompt Injection

This brief identifies potential prompt injection or jailbreak attempts against AWS Bedrock Claude large language models by searching for specific phrases in user prompts, indicating attempts to subvert model behavior, extract data, or gain unauthorized access to resources.

This hunting brief focuses on detecting potential prompt injection and jailbreak attempts targeting AWS Bedrock Claude large language models (LLMs). The detection logic identifies specific keyword phrases within user prompts that are commonly associated with malicious model manipulation, such as instruction overrides, persona switching, requests to ignore prior guidance, or direct calls for "jailbreak" or "developer mode." While many of these phrases can appear in legitimate use cases (e.g., role-playing, legitimate system prompts), their presence, especially when combined with other indicators or occurring mid-conversation, can signal an attacker's attempt to bypass model guardrails, extract sensitive data, escalate privileges, or access restricted tools via the LLM. This is a hunting activity designed to surface suspicious interactions for deeper investigation, acknowledging a high benign base rate.

Impact

Successful prompt injection against an LLM like AWS Bedrock Claude can lead to severe consequences, including unauthorized data exfiltration from the model's context or connected systems, privilege escalation within the model's operational environment, or the ability to access and manipulate restricted tools or resources that the LLM is permitted to interact with. Attackers could also bypass safety controls, generate harmful content, or coerce the model into performing actions contrary to its intended purpose, potentially impacting data integrity, confidentiality, and the overall security posture of applications relying on the compromised LLM.

Recommendation

  • Enable Amazon Bedrock model invocation logging to ensure Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see the reference to docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html), and ingest these logs into your SIEM, specifically ensuring the Input.InputBodyJson.Messages.Content.Text field (or equivalent) is parsed.
  • Deploy the provided Sigma rule (or similar logic) to your SIEM system as a hunting query, configured to alert on potential prompt injection phrases within AWS Bedrock Claude logs.
  • Investigate all hits from the detection rule thoroughly, reviewing the surrounding conversation, the message role (system vs. user vs. tool output), and whether the phrase is followed by requests to bypass safety controls, extract sensitive data, or access tools before treating a match as suspicious, as described in the falsepositives section of the rule.
  • Regularly review and update the list of prompt injection keywords and patterns in your detection rules as new jailbreak techniques evolve to maintain detection efficacy.

Detection coverage 1

Detect AWS Bedrock Claude Possible Prompt Injection Keywords

low

Detects phrases in AWS Bedrock Claude prompts commonly associated with prompt injection or jailbreak attempts, such as instruction overrides or requests to ignore prior guidance. This is a hunting rule due to high false positives, requiring further investigation of context.

sigma tactics: defense_evasion techniques: T1055 sources: cloud, aws

Detection queries are available on the platform. Get full rules →