Previously unseen AWS Bedrock model invoked
Description
AlphaSOC detected invocation of a previously unused AWS Bedrock foundation model. AWS Bedrock provides an API for accessing foundation models for generative AI applications. The use of a new model may indicate unauthorized access or resource abuse.
Impact
Unauthorized AWS Bedrock usage can lead to significant costs through resource consumption. Threat actors may use foundation models to perform reconnaissance or leverage cloud resources. Model outputs could reveal sensitive information through prompt injection attacks.
Severity
| Severity | Condition |
|---|---|
Medium | AWS Bedrock model invoked for the first time in over 30 days |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user, API calls, and model invoked. Check if the actions align with existing usage patterns. Implement service control policies to restrict Bedrock access to authorized accounts and models. Monitor usage patterns and costs. Revoke access if unauthorized activity is confirmed.
Known False Positives
- New AI/ML projects starting development