{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bedrock/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["aws","bedrock","cloudtrail","logging","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis analytic identifies attempts to delete AWS Bedrock model invocation logging configurations. The activity is detected by monitoring AWS CloudTrail logs for calls to the DeleteModelInvocationLogging API. Successful deletion of these logs could allow attackers to interact with AI models hosted on AWS Bedrock without leaving forensic traces. This may be indicative of an adversary who has compromised AWS credentials and is attempting to evade detection of their malicious actions. The impact could range from data exfiltration and prompt injection attacks to other unauthorized activities, all performed without generating audit records. This event should be considered a high-priority alert, as it directly impacts the ability to monitor and respond to potentially malicious use of AI models within the AWS environment. The detection leverages AWS CloudTrail logs and is based on the Splunk ES-CU analytic \u0026ldquo;AWS Bedrock Delete Model Invocation Logging Configuration\u0026rdquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through credential compromise or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates the existing AWS Bedrock model invocation logging configurations within the targeted AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDeleteModelInvocationLoggingConfiguration\u003c/code\u003e API call to disable or remove the logging configuration.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteModelInvocationLoggingConfiguration\u003c/code\u003e event, capturing details such as the user, source IP, and timestamp.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to interact with AWS Bedrock models, potentially performing data exfiltration or prompt injection attacks.\u003c/li\u003e\n\u003cli\u003eBecause model invocation logging has been disabled, these interactions are not logged, hindering detection and incident response efforts.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to further cover their tracks by deleting or modifying other relevant CloudTrail logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access and manipulation of AI models hosted on AWS Bedrock. The deletion of model invocation logs allows attackers to hide their activities, making it difficult to detect and respond to incidents such as data exfiltration or prompt injection attacks. This can result in significant financial loss, reputational damage, and legal liabilities. The exact number of victims and the extent of the damage depend on the scope and duration of the attacker\u0026rsquo;s access to the AI models.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS Bedrock Logging Deletion\u003c/code\u003e to your SIEM to detect attempts to delete AWS Bedrock model invocation logging configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eDeleteModelInvocationLoggingConfiguration\u003c/code\u003e events, focusing on unexpected users or source IPs, to validate legitimate administrative actions.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions and services, including Bedrock, to ensure comprehensive audit coverage.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise (T1685.002).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual API calls and access patterns to identify potential insider threats or compromised accounts.\u003c/li\u003e\n\u003cli\u003eReview and update IAM policies to enforce the principle of least privilege and restrict access to sensitive API actions, such as \u003ccode\u003eDeleteModelInvocationLoggingConfiguration\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-bedrock-logging-deletion/","summary":"Detection of attempts to delete AWS Bedrock model invocation logging configurations, potentially indicating an adversary trying to remove audit trails of model interactions after credential compromise, to hide malicious AI model usage.","title":"AWS Bedrock Model Invocation Logging Deletion Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-logging-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bedrock","CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["aws","bedrock","cloudtrail","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis analytic focuses on detecting the deletion of AWS Bedrock GuardRails. AWS Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies. GuardRails within Bedrock are security controls designed to prevent harmful, biased, or inappropriate AI outputs. The deletion of these guardrails, detected through AWS CloudTrail logs, could indicate a malicious actor attempting to bypass security measures after compromising credentials. This could potentially enable harmful or malicious model outputs, leading to the generation of offensive content, extraction of sensitive information, or circumvention of prompt injection defenses. This activity matters to defenders as it highlights a potential attempt to manipulate AI model behavior for malicious purposes, requiring immediate investigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account with sufficient privileges to manage Bedrock resources, possibly through credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS environment, establishing a session.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies existing AWS Bedrock GuardRails configurations using AWS APIs or the AWS Management Console.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API call via the AWS CLI, SDK, or Management Console, specifying the \u003ccode\u003eguardrailIdentifier\u003c/code\u003e of the targeted GuardRail.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e event, including details such as the user identity, source IP address, and GuardRail identifier.\u003c/li\u003e\n\u003cli\u003eThe GuardRail is successfully deleted, removing the configured safety controls for the Bedrock models.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the now-unprotected Bedrock models to generate harmful content, extract sensitive information, or bypass other security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data generated from the unprotected model to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of Bedrock GuardRails could allow attackers to manipulate AI models for malicious purposes. This could lead to the generation of offensive or harmful content, extraction of sensitive information, or bypassing prompt injection defenses. Organizations utilizing AWS Bedrock may experience reputational damage, data breaches, and regulatory compliance issues. While specific victim numbers are unavailable, the impact could be significant depending on the sensitivity of the data processed by the models.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions, specifically capturing Bedrock service events to ensure the \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API calls are logged (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect AWS Bedrock GuardRails Deletion\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized GuardRail deletions.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteGuardrail\u003c/code\u003e events to determine the legitimacy of the action and identify potential credential compromise or malicious intent (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement an allowlist for expected administrators who regularly manage GuardRails configurations to reduce false positives (known_false_positives).\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003esrc\u003c/code\u003e IP addresses from which \u003ccode\u003eDeleteGuardrail\u003c/code\u003e API calls are made to identify potentially suspicious or unauthorized access points (rule and RBA).\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all AWS accounts, especially those with privileges to manage Bedrock resources, to mitigate credential compromise (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-aws-bedrock-guardrails-deletion/","summary":"Detection of AWS Bedrock GuardRails deletion, which are security controls to prevent harmful AI outputs, could indicate an adversary attempting to remove safety measures after credential compromise to enable malicious model outputs.","title":"AWS Bedrock GuardRails Deletion Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-bedrock-guardrails-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Bedrock","version":"https://jsonfeed.org/version/1.1"}