AWS Bedrock High-Frequency Single-Model Inference API Probing

  1[metadata]
  2creation_date = "2026/06/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an AWS principal performing a high volume of Amazon Bedrock inference API calls against a single model within
 11a short window. Membership inference attacks require hundreds to thousands of statistically similar queries whose
 12prompts and responses are intentionally content-benign, making guardrail- and content-based rules ineffective. This rule
 13detects the high-frequency single-model probing pattern that precedes membership inference and related exfiltration via
 14the inference API. It is a behavioral / volumetric precursor: it does not observe model confidence scores and a fixed
 15call-count threshold only catches the loud variant, so paced, low-and-slow, or credential-distributed probing will evade
 16it. Definitive membership inference detection requires ML anomaly analysis over per-entity inference-rate and
 17response-distribution baselines.
 18"""
 19false_positives = [
 20    """
 21    Automated agents, chat applications, retrieval-augmented generation services, evaluation pipelines, and load tests
 22    routinely generate high Bedrock inference volume against one model and will exceed any fixed threshold. Validate the
 23    principal, user agent, source IP, and application context before treating the activity as malicious, and tune the
 24    threshold to the deployment.
 25    """,
 26]
 27from = "now-60m"
 28interval = "10m"
 29language = "esql"
 30license = "Elastic License v2"
 31name = "AWS Bedrock High-Frequency Single-Model Inference API Probing"
 32note = """## Triage and analysis
 33
 34### Investigating AWS Bedrock High-Frequency Single-Model Inference API Probing
 35
 36Membership inference compares many samples against a model to infer whether
 37specific records were present in training data. Because prompts and responses often appear benign, the
 38actionable signal is frequently statistical: unusually high inference rates concentrated on one model from
 39a single principal. AWS CloudTrail records the core Bedrock runtime operations (`InvokeModel`,
 40`InvokeModelWithResponseStream`, `Converse`, `ConverseStream`) as management events, which are logged by
 41default, so this probing phase is observable at the API layer even when Bedrock model invocation logging is
 42disabled. CloudTrail does not capture the prompt body, so this rule is purely volumetric.
 43
 44This rule is tuned to the loud case. Treat it as corroborating signal alongside other Bedrock alerts, not
 45as conclusive membership inference detection.
 46
 47#### Possible investigation steps
 48
 49- Identify the principal in `aws.cloudtrail.user_identity.arn` and the targeted model in the extracted
 50  `Esql.model_id`.
 51- Determine whether the call volume exceeds the principal's historical baseline for the same model.
 52- Review companion Bedrock invocation logs, if enabled, for short prompts, repeated inputs, or low-variance
 53  responses that may indicate membership testing.
 54- Inspect `source.ip`, `user_agent.original`, and recent IAM activity for signs of compromised credentials
 55  or unexpected automation.
 56- Correlate with bulk output-extraction or guardrail alerts that may indicate a broader inference abuse
 57  campaign.
 58
 59### Response and remediation
 60
 61- Apply Bedrock service quotas and IAM least privilege for inference APIs while investigating.
 62- Enable model invocation logging for content-level review if not already configured.
 63- If abuse is confirmed, rotate access keys or disable the compromised principal.
 64
 65### Additional information
 66
 67- For further details on how Amazon Bedrock integrates with AWS CloudTrail to log control plane and data plane runtime operations, see the [AWS Bedrock User Guide on CloudTrail Logging](https://docs.aws.amazon.com/bedrock/latest/userguide/logging-using-cloudtrail.html).
 68- To explore the adversarial tactics, techniques, and case studies surrounding machine learning model data leakage, consult the [MITRE ATLAS Exfiltration via Inferences (AML.T0024)](https://atlas.mitre.org/techniques/AML.T0024) documentation.
 69
 70"""
 71references = [
 72    "https://atlas.mitre.org/techniques/AML.T0024",
 73    "https://atlas.mitre.org/techniques/AML.T0024.000",
 74    "https://docs.aws.amazon.com/bedrock/latest/userguide/logging-using-cloudtrail.html",
 75    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 76]
 77risk_score = 47
 78rule_id = "56312ef5-656c-4bf7-ad9a-affed052b102"
 79setup = """## Setup
 80
 81This rule requires AWS CloudTrail management events for Amazon Bedrock and ingestion via the AWS
 82integration (`aws.cloudtrail` data stream). The core Bedrock runtime operations are logged as management
 83events by default; no Bedrock model invocation logging is required.
 84
 85"""
 86severity = "medium"
 87tags = [
 88    "Domain: Cloud",
 89    "Domain: LLM",
 90    "Data Source: AWS",
 91    "Data Source: Amazon Web Services",
 92    "Data Source: AWS CloudTrail",
 93    "Use Case: Threat Detection",
 94    "Tactic: Exfiltration",
 95    "Mitre Atlas: T0024",
 96    "Mitre Atlas: T0024.000",
 97    "Resources: Investigation Guide",
 98]
 99timestamp_override = "event.ingested"
100type = "esql"
101
102query = '''
103from logs-aws.cloudtrail-*
104 
105// Bedrock runtime inference APIs (CloudTrail management events, logged by default) used to probe at scale
106| where
107  event.provider == "bedrock.amazonaws.com"
108  and event.action in (
109    "InvokeModel",
110    "Converse",
111    "ConverseStream",
112    "InvokeModelWithResponseStream"
113  )
114  and event.outcome == "success"
115  and aws.cloudtrail.user_identity.arn IS NOT NULL
116  and aws.cloudtrail.request_parameters IS NOT NULL
117 
118| grok aws.cloudtrail.request_parameters """modelId=(?<Esql.model_id>[^,}\]]+)"""
119| where Esql.model_id IS NOT NULL
120 
121// preserve the grouping keys plus the ECS context fields collected via VALUES() below
122| keep
123  aws.cloudtrail.user_identity.arn,
124  cloud.account.id,
125  Esql.model_id,
126  event.action,
127  source.ip,
128  user_agent.original,
129  aws.cloudtrail.user_identity.type,
130  aws.cloudtrail.user_identity.access_key_id,
131  cloud.region,
132  source.as.organization.name
133 
134// aggregate per principal + account + model, capturing analyst context with VALUES()
135| stats
136    Esql.inference_call_count = count(*),
137    Esql.event_action_values = VALUES(event.action),
138    Esql.source_ip_values = VALUES(source.ip),
139    Esql.user_agent_original_values = VALUES(user_agent.original),
140    Esql.aws_cloudtrail_user_identity_type_values = VALUES(aws.cloudtrail.user_identity.type),
141    Esql.aws_cloudtrail_user_identity_access_key_id_values = VALUES(aws.cloudtrail.user_identity.access_key_id),
142    Esql.cloud_region_values = VALUES(cloud.region),
143    Esql.source_as_organization_name_values = VALUES(source.as.organization.name)
144  by
145    aws.cloudtrail.user_identity.arn,
146    cloud.account.id,
147    Esql.model_id
148 
149| where Esql.inference_call_count >= 500
150 
151| keep
152  aws.cloudtrail.user_identity.arn,
153  cloud.account.id,
154  Esql.model_id,
155  Esql.inference_call_count,
156  Esql.event_action_values,
157  Esql.source_ip_values,
158  Esql.user_agent_original_values,
159  Esql.aws_cloudtrail_user_identity_type_values,
160  Esql.aws_cloudtrail_user_identity_access_key_id_values,
161  Esql.cloud_region_values,
162  Esql.source_as_organization_name_values
163 
164| sort Esql.inference_call_count desc
165'''
166
167[rule.alert_suppression]
168group_by = ["aws.cloudtrail.user_identity.arn","cloud.account.id"]
169missing_fields_strategy = "suppress"
170[rule.alert_suppression.duration]
171unit = "m"
172value = 60
173  
174[rule.investigation_fields]
175field_names = ["aws.cloudtrail.user_identity.arn", "cloud.account.id", "Esql.model_id", "Esql.inference_call_count"]