AWS API calls indicating AWS Bedrock model invocation
Description
AlphaSOC detected an invocation of an AWS Bedrock model. AWS Bedrock enables users to access foundation models for generative AI applications. This finding indicates potential unauthorized access to AI resources or attempts to extract sensitive data through AI model interactions.
Impact
Unauthorized use of AWS Bedrock can lead to excessive computational costs, resource consumption, and potential data breaches. Threat actors can use these models to process sensitive information, generate malicious content, or conduct reconnaissance. The exposed data could allow adversaries to gain deeper insight into organizational infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user that invoked the model. Analyze the input prompts and output patterns for potential data exposure. Implement strict access controls and monitoring for Bedrock services. Revoke access if unauthorized use is confirmed.
Known False Positives
- An initial run of an application with generative AI features