-
Notifications
You must be signed in to change notification settings - Fork 395
/
Copy pathaws_bedrock_security.yml
25 lines (23 loc) · 1.99 KB
/
aws_bedrock_security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name: AWS Bedrock Security
id: fdc58e40-6b32-4a91-bc45-9f87d2e3c840
version: 1
date: '2024-12-05'
author: Bhavin Patel, Splunk
status: production
description: This analytic story contains detections that query your AWS CloudTrail and CloudWatch logs for activities related to potential security risks and malicious activities on Amazon Bedrock services.
narrative: 'Organizations increasingly leverage Amazon Bedrock to power their Generative AI (GenAI) applications. Adversaries with compromised AWS credentials can exploit Bedrock services and associated resources to perform malicious activities, extract sensitive data, or disrupt operations.
Attackers often perform reconnaissance by repeatedly listing foundation models or making high volumes of API calls. They may attempt to evade detection by disabling logging configurations or deleting GuardRails that prevent harmful outputs. More sophisticated attacks include attaching manipulated training datasets for fine-tuning, deleting S3 buckets containing critical data, or performing LLM jacking where attackers compute their own responses to bypass security controls.
This Analytic Story includes detections that identify suspicious activities against AWS Bedrock services, such as access denied events, spikes in GuardRail blocks, unusual API call patterns, configuration changes to logging, and manipulation of model security controls. These detections help organizations monitor for potential compromise of their Bedrock environment and identify attempts to bypass AI security measures through configuration changes or abuse of legitimate functionality.'
references:
- https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/
- https://www.mitigant.io/en/blog/bedrock-or-bedsand-attacking-amazon-bedrocks-achilles-heel
- https://sysdig.com/blog/llmjacking-targets-deepseek/
tags:
category:
- Cloud Security
product:
- Splunk Security Analytics for AWS
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring