AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User | Elastic Security Solution [8.13]

› › ›

« A scheduled task was updated AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request »

AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single Useredit

Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: LLM
Data Source: AWS Bedrock
Data Source: AWS S3
Resources: Investigation Guide
Use Case: Policy Violation
Mitre Atlas: T0015
Mitre Atlas: T0034

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Setupedit

Setup

This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:

https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html

Rule queryedit

from logs-aws_bedrock.invocation-*
| where gen_ai.response.error_code == "AccessDeniedException"
| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id
| where total_denials > 3
| sort total_denials desc

« A scheduled task was updated AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request »