{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/access-denied/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Bedrock"],"_cs_severities":["medium"],"_cs_tags":["aws","bedrock","access-denied","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting unauthorized access attempts to AWS Bedrock models. The trigger is an \u003ccode\u003eAccessDenied\u003c/code\u003e error when a user or service attempts to invoke a Bedrock model using the \u003ccode\u003eInvokeModel\u003c/code\u003e API. The detection leverages AWS CloudTrail logs. This activity is concerning because it may signal an adversary attempting to access generative AI resources with compromised credentials but lacking the necessary permissions. Successful exploitation could lead to data exfiltration or manipulation of model outputs. The targeted resources are AWS Bedrock models, a suite of foundation models offered by Amazon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker gains access to AWS credentials through phishing, credential stuffing, or other means (T1550).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker uses the compromised credentials to access the AWS environment (T1078).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery: List Foundation Models:\u003c/strong\u003e The attacker attempts to list available Bedrock foundation models using the AWS CLI or API, potentially to identify accessible resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttempt InvokeModel:\u003c/strong\u003e The attacker attempts to invoke a specific Bedrock model (e.g., \u003ccode\u003eInvokeModel\u003c/code\u003e API call) without proper permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Denied:\u003c/strong\u003e AWS returns an \u003ccode\u003eAccessDenied\u003c/code\u003e error, logged in CloudTrail. This indicates insufficient permissions for the attempted action.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation Attempt (Optional):\u003c/strong\u003e The attacker may attempt to escalate privileges by exploiting misconfigurations or vulnerabilities in IAM roles or policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e If privilege escalation is successful, the attacker may attempt to move laterally to other AWS resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Failed):\u003c/strong\u003e The attacker is unable to access or manipulate Bedrock models due to the \u003ccode\u003eAccessDenied\u003c/code\u003e error.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWhile the \u003ccode\u003eAccessDenied\u003c/code\u003e error prevents immediate damage, the attempt itself indicates malicious activity. A successful privilege escalation following this access denial could lead to exfiltration of data used by the models, tampering with model outputs, or disruption of services relying on the Bedrock models. The TrustOnCloud reference highlights potential flaws in Bedrock's access control, emphasizing the need for monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;AWS Bedrock Invoke Model Access Denied\u0026quot; Sigma rule to your SIEM and tune for your environment to detect access denial attempts (rule provided below).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eAccessDenied\u003c/code\u003e errors for \u003ccode\u003eInvokeModel\u003c/code\u003e API calls in CloudTrail logs, focusing on the source IP (\u003ccode\u003esrc\u003c/code\u003e), user (\u003ccode\u003euser\u003c/code\u003e), and affected model (\u003ccode\u003erequestParameters.modelId\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and harden IAM policies related to AWS Bedrock to ensure least privilege access.\u003c/li\u003e\n\u003cli\u003eEnable and review CloudTrail logs for all AWS regions and services to ensure comprehensive security monitoring.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-access-denied/","summary":"Detection of AccessDenied errors when attempting to invoke AWS Bedrock models via the InvokeModel API indicates potential reconnaissance or privilege escalation attempts by an adversary with compromised credentials.","title":"AWS Bedrock Invoke Model Access Denied Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-access-denied/"}],"language":"en","title":"CraftedSignal Threat Feed - Access-Denied","version":"https://jsonfeed.org/version/1.1"}