AWS Bedrock discovery using access key
Description
AlphaSOC detected AWS Bedrock discovery activity. Bedrock provides access to
foundation models for generative AI applications. Discovery actions such as
ListCustomModels, ListImportedModels, ListFoundationModels,
ListEvaluationJobs, GetFoundationModelAvailability, GetFoundationModel,
GetImportedModel, GetCustomModel, and GetEvaluationJob are used to
identify available models, configurations, and resources. This detection
identifies enumeration performed from unusual locations, with unfamiliar user
agents, via programmatic access keys, or in unexpected regions, suggesting
compromised credentials used to map AI infrastructure.
Impact
Bedrock discovery enables adversaries to enumerate an organization's generative AI resources and identify targets for exploitation. Threat actors can identify custom fine-tuned models containing proprietary training data, available foundation models, provisioned throughput configurations, customization jobs, invocation jobs, and import jobs revealing performance metrics and deployment details. This reconnaissance precedes model invocation attacks, custom model theft, unauthorized AI workload deployment, resource hijacking, data exfiltration through model prompts, excessive invocations for cost inflation, or theft of models containing sensitive business logic.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | AWS Bedrock discovery using access key |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review CloudTrail logs to identify Bedrock discovery actions performed,
including ListFoundationModels, ListCustomModels, GetCustomModel,
ListEvaluationJobs, ListProvisionedModelThroughputs,
GetProvisionedModelThroughput, ListModelCustomizationJobs,
GetModelCustomizationJob, ListModelInvocationJobs, GetModelInvocationJob,
ListModelImportJobs, or GetModelImportJob. Verify the responsible IAM user
or role and examine the source IP address, ASN, and user agent to confirm
whether activity originated from expected infrastructure or personnel. Check if
discovery was performed via access keys, indicating programmatic enumeration.
If unauthorized, immediately revoke compromised IAM credentials and rotate access keys. Review subsequent CloudTrail events for follow-on actions such as model invocations, custom model access, or data exfiltration attempts. Implement IAM policies restricting Bedrock permissions based on least privilege. Enable CloudTrail logging for all Bedrock API calls and configure CloudWatch alarms for unusual discovery patterns.
Known False Positives
- Initial setup or configuration of AI applications enumerating available models
- Monitoring or auditing tools periodically checking Bedrock model availability
- Development teams exploring foundation models