AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User

Last updated 14 days ago on 2024-11-07

Created 7 months ago on 2024-05-02

About

Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.

Tags: Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0015Mitre Atlas: T0034
Severity: high
Risk Score: 73
False Positive Examples: Legitimate misunderstanding by users or overly strict policies
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-aws_bedrock.invocation-*
| where gen_ai.response.error_code == "AccessDeniedException"
| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code
| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id
| where total_denials > 3
| sort total_denials desc

Install detection rules in Elastic Security

Detect AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).