AWS Bedrock model unexpectedly invoked in multiple regions
Description
AlphaSOC detected invocations of AWS Bedrock foundation models across multiple AWS regions within a short time window. While cross-region model access may occur during legitimate development, this pattern can indicate unauthorized use of AI resources, account compromise, or an attempt to distribute usage and avoid detection. AWS Bedrock provides access to powerful generative AI models and can incur significant costs.
Impact
Unauthorized Bedrock usage can result in substantial unexpected charges and potential exposure of sensitive data passed to AI models. Anomalous usage patterns may also indicate that valid credentials have been exfiltrated and are being exploited.
Severity
| Severity | Condition |
|---|---|
Low | Bedrock model invoked across multiple AWS regions |
Medium | Unexpected multi-region Bedrock invocations |
Investigation and Remediation
Review AWS CloudTrail logs to identify the IAM user or role making the API calls, the specific regions involved, and the models invoked. Examine whether the usage volume or pattern is consistent with known application behavior. Check for signs of credential compromise and review associated costs in AWS Billing. If unauthorized, revoke the credentials, terminate active sessions, and enable AWS Budgets alerts to detect future anomalous spend.