<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Bedrock Claude - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-bedrock-claude/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 08:09:32 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-bedrock-claude/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Bedrock Claude Abuse and Data Exposure Detection Coverage</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-claude-large-prompts/</link><pubDate>Tue, 07 Jul 2026 08:09:32 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-claude-large-prompts/</guid><description>Merged detection coverage for AWS Bedrock Claude abuse patterns, including prompt injection, sensitive-data exposure, high-risk tool invocation, cross-region inference, hostile prompts, unusually large prompts, and excessive token output anomalies.</description><content:encoded><![CDATA[<p>This consolidated coverage brief tracks AWS Bedrock Claude abuse detections that were previously published as separate rule-specific briefs. The coverage focuses on suspicious model invocation patterns visible in Bedrock invocation logs and downstream SIEM telemetry: prompt injection keywords, hostile prompt sentiment, sensitive data in prompts, unusually large prompts, excessive output-token anomalies, cross-region inference mismatches, and high-risk filesystem or execution tool invocation through Claude workflows.</p>
<h2 id="detection-coverage">Detection Coverage</h2>
<p>Defenders should enable Amazon Bedrock model invocation logging, route request and response metadata into their SIEM, and deploy the rules in this brief as a single monitoring package for Claude usage. Treat high-risk tool invocation and sensitive-data prompt exposure as higher-priority findings, especially when tied to human identities, unusual regions, or identities deviating from historical token baselines.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS Bedrock model invocation logging and ingest Claude request/response metadata into Splunk or an equivalent SIEM.</li>
<li>Deploy the six public detection rules in this brief and tune thresholds for expected developer, red-team, and testing activity.</li>
<li>Investigate identities triggering multiple Bedrock Claude detections on the same day, especially combinations of prompt injection, sensitive data exposure, cross-region inference, and high-risk tool usage.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">coverage</category><category>cloud</category><category>aws</category><category>bedrock</category><category>claude</category><category>llm</category><category>prompt-injection</category><category>data-exfiltration</category><category>detection-coverage</category></item></channel></rss>