AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

Last updated 19 days ago on 2024-11-05

Created 7 months ago on 2024-05-02

About

Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.

Tags: Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0051Mitre Atlas: T0054
Severity: low
Risk Score: 21
False Positive Examples: Legitimate misunderstanding by users or overly strict policies
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-aws_bedrock.invocation-*
| where gen_ai.policy.action == "BLOCKED"
| eval policy_violations = mv_count(gen_ai.policy.name)
| where policy_violations > 1
| keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id
| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id
| sort total_unique_request_violations desc

Install detection rules in Elastic Security

Detect AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).