« AWS Bedrock Third-Party or External Knowledge Base Associated to Agent AWS Lambda Function Policy Updated to Allow Cross-Account Invocation »
Elastic Docs Elastic Security [8.19] Downloadable rule update v8.19.26

AWS Bedrock Untrusted Model Imported or Marketplace Endpoint Registered

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Bedrock Untrusted Model Imported or Marketplace Endpoint Registered

edit

Detects when an AWS Bedrock custom model is imported or deployed, or when a marketplace model endpoint is created or registered, via the CreateModelImportJob, CreateCustomModelDeployment, CreateMarketplaceModelEndpoint, or RegisterMarketplaceModelEndpoint API calls. These actions introduce a model artifact from outside the organization’s trusted training and approval pipeline. A backdoored, poisoned, or attacker-supplied model that downstream applications subsequently invoke represents a software supply-chain compromise. New model imports and marketplace endpoint registrations should be validated for artifact provenance (S3 source ownership), the registering identity, and whether the model originates from an approved internal pipeline.

Rule type: query

Rule indices:

  • logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: LLM
  • Data Source: AWS
  • Data Source: AWS CloudTrail
  • Data Source: Amazon Web Services
  • Data Source: Amazon Bedrock
  • Use Case: Threat Detection
  • Resources: Investigation Guide
  • Tactic: Persistence

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS Bedrock Untrusted Model Imported or Marketplace Endpoint Registered

Amazon Bedrock allows organizations to import custom models, deploy them, and register marketplace model endpoints for inference. Each of these paths introduces a model artifact that did not necessarily originate from the organization’s trusted training and approval pipeline. Adversaries who can import a backdoored or poisoned model — or register an untrusted marketplace endpoint — can influence the output of any downstream application that invokes that model, constituting a supply-chain compromise. This detection identifies CreateModelImportJob, CreateCustomModelDeployment, CreateMarketplaceModelEndpoint, and RegisterMarketplaceModelEndpoint calls so responders can verify model provenance before the model is trusted for inference.

Possible investigation steps

  • Identify the actor and context
  • Review aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.access_key_id, user_agent.original, and source.ip.
  • Confirm whether a related change request or model onboarding ticket exists.
  • Determine if the identity is an approved ML/MLOps role or automation principal.
  • Validate the model artifact source
  • In aws.cloudtrail.flattened.request_parameters, review the model source location (e.g., the S3 URI for an import job) and confirm the bucket belongs to your organization and is not attacker-controlled.
  • For marketplace endpoints, confirm the model package ARN / product corresponds to an approved vendor.
  • Correlate activity
  • Look for subsequent InvokeModel / InvokeModelWithResponseStream activity targeting the new model or endpoint.
  • Check for prior enumeration such as ListFoundationModels, ListCustomModels, or ListImportedModels.
  • Review other recent actions by the same identity for signs of broader compromise.

False positive analysis

  • Planned model onboarding: ML teams routinely import models and register endpoints. Validate against a ticket and confirm the artifact source.
  • Automation: IaC or MLOps pipelines may create these resources during deployment. Confirm the source IP and ARN match expected automation infrastructure.

Response and remediation

  • If unauthorized
  • Delete or disable the imported model, custom model deployment, or marketplace endpoint.
  • Prevent downstream applications from invoking the untrusted model until provenance is established.
  • Disable the access key in aws.cloudtrail.user_identity.access_key_id and rotate credentials if compromise is suspected.
  • Audit the S3 source bucket for tampering and review the model artifact for backdoors.
  • Hardening
  • Restrict bedrock:CreateModelImportJob, bedrock:CreateCustomModelDeployment, and marketplace endpoint creation/registration permissions to approved roles.
  • Enforce that model artifacts originate only from organization-owned, controlled S3 locations.

Additional information

Rule query

edit
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "bedrock.amazonaws.com"
    and event.action: (
        "CreateModelImportJob" or
        "CreateCustomModelDeployment" or
        "CreateMarketplaceModelEndpoint" or
        "RegisterMarketplaceModelEndpoint"
    )
    and event.outcome: "success"

Framework: MITRE ATT&CKTM

« AWS Bedrock Third-Party or External Knowledge Base Associated to Agent AWS Lambda Function Policy Updated to Allow Cross-Account Invocation »