Suspicious AWS Bedrock API usage via programmatic access
Description
AlphaSOC detected programmatic access to AWS Bedrock APIs including
GetFoundationModelAvailability, PutUseCaseForModelAccess,
GetUseCaseForModelAccess, CreateFoundationModelAgreement,
PutFoundationModelEntitlement, DeleteFoundationModelAgreement, and
ListFoundationModelAgreementOffers. Threat actors may exploit these APIs to
enumerate available foundation models, accept or modify model access agreements,
and grant or expand entitlements for Bedrock models without user awareness. This
can enable unauthorized use of high-cost or restricted foundation models,
leading to unexpected billing impact, policy violations, or abuse of generative
AI capabilities for malicious activities such as automated phishing, malware
development assistance, or large-scale content generation.
Impact
Exploitation of AWS Bedrock management APIs allows threat actors to manipulate foundation model access agreements and entitlements, enabling unauthorized or expanded access to Bedrock foundation models beyond intended governance controls. By creating, modifying, or deleting model agreements and entitlements, attackers can get access to AI models. This abuse can result in significant and rapid cost escalation due to unauthorized inference requests, large-scale content generation, or automated workloads consuming Bedrock resources at scale. In environments where Bedrock access is integrated into applications, CI/CD pipelines, or shared automation roles, such misuse may persist undetected and continue to incur charges even after initial credential compromise is addressed.
Beyond financial impact, unauthorized Bedrock access introduces security and compliance risks, including violation of internal AI governance policies, misuse of generative AI capabilities for malicious activities (e.g., phishing content generation, social engineering, malware development assistance), and potential reputational damage. In regulated environments, improper activation of certain foundation models may also trigger regulatory or contractual non-compliance related to data handling or model usage restrictions.
Severity
| Severity | Condition |
|---|---|
Medium | Suspicious AWS Bedrock API usage via programmatic access |
Investigation and Remediation
Review CloudTrail logs to identify the IAM principal, source IP, user agent, and
timing of suspicious Bedrock API calls. Examine specific actions like
GetFoundationModelAvailability and PutUseCaseForModelAccess to understand
targeted resources. Verify whether the principal has legitimate business needs
for Bedrock access and if activity aligns with known workflows. If unauthorized,
revoke compromised credentials using aws iam update-access-key or delete the
access key. Review IAM policies for least-privilege access and investigate any
model access agreements or entitlements created during suspicious activity.
Rotate credentials for affected principals. Implement CloudTrail monitoring with
alerts for anomalous Bedrock API patterns. Consider using service control
policies to restrict Bedrock access to authorized accounts.
Known False Positives
- Administrators setting up or configuring Bedrock access for teams or applications
- Automated model onboarding workflows managing entitlements across multiple AWS accounts
- Testing or evaluation activities where teams assess new foundation models before production use
- Infrastructure-as-code deployments managing Bedrock model access and agreements