{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/bedrock/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bedrock","CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["aws","bedrock","cloudtrail","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis analytic focuses on detecting the deletion of AWS Bedrock GuardRails. AWS Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies. GuardRails within Bedrock are security controls designed to prevent harmful, biased, or inappropriate AI outputs. The deletion of these guardrails, detected through AWS CloudTrail logs, could indicate a malicious actor attempting to bypass security measures after compromising credentials. This could potentially enable harmful or malicious model outputs, leading to the generation of offensive content, extraction of sensitive information, or circumvention of prompt injection defenses. This activity matters to defenders as it highlights a potential attempt to manipulate AI model behavior for malicious purposes, requiring immediate investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account with sufficient privileges to manage Bedrock resources, possibly through credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS environment, establishing a session.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies existing AWS Bedrock GuardRails configurations using AWS APIs or the AWS Management Console.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API call via the AWS CLI, SDK, or Management Console, specifying the \u003ccode\u003eguardrailIdentifier\u003c/code\u003e of the targeted GuardRail.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e event, including details such as the user identity, source IP address, and GuardRail identifier.\u003c/li\u003e\n\u003cli\u003eThe GuardRail is successfully deleted, removing the configured safety controls for the Bedrock models.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the now-unprotected Bedrock models to generate harmful content, extract sensitive information, or bypass other security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data generated from the unprotected model to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Bedrock GuardRails could allow attackers to manipulate AI models for malicious purposes. This could lead to the generation of offensive or harmful content, extraction of sensitive information, or bypassing prompt injection defenses. Organizations utilizing AWS Bedrock may experience reputational damage, data breaches, and regulatory compliance issues. While specific victim numbers are unavailable, the impact could be significant depending on the sensitivity of the data processed by the models.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions, specifically capturing Bedrock service events to ensure the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API calls are logged (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect AWS Bedrock GuardRails Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized GuardRail deletions.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteGuardrail\u003c/code\u003e events to determine the legitimacy of the action and identify potential credential compromise or malicious intent (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement an allowlist for expected administrators who regularly manage GuardRails configurations to reduce false positives (known_false_positives).\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003esrc\u003c/code\u003e IP addresses from which \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API calls are made to identify potentially suspicious or unauthorized access points (rule and RBA).\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all AWS accounts, especially those with privileges to manage Bedrock resources, to mitigate credential compromise (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-aws-bedrock-guardrails-deletion/","summary":"Detection of AWS Bedrock GuardRails deletion, which are security controls to prevent harmful AI outputs, could indicate an adversary attempting to remove safety measures after credential compromise to enable malicious model outputs.","title":"AWS Bedrock GuardRails Deletion Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-guardrails-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Bedrock","version":"https://jsonfeed.org/version/1.1"}