AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session

Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration in order to access sensitive information, or possibly exploit a vulnerability in the system.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/11/25"
  3maturity = "production"
  4updated_date = "2025/07/16"
  5
  6[rule]
  7author = ["Elastic"]
  8description = """
  9Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same
 10account over a session. Multiple consecutive executions implies that a user may be intentionally attempting to bypass
 11security controls, by not routing the requests with the desired guardrail configuration in order to access sensitive
 12information, or possibly exploit a vulnerability in the system.
 13"""
 14false_positives = [
 15    "Users testing new model deployments or updated compliance policies without Amazon Bedrock guardrails.",
 16]
 17from = "now-60m"
 18interval = "10m"
 19language = "esql"
 20license = "Elastic License v2"
 21name = "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session"
 22note = """## Triage and analysis
 23
 24### Investigating AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
 25
 26Using Amazon Bedrock Guardrails during model invocation is critical for ensuring the safe, reliable, and ethical use of AI models.
 27Guardrails help manage risks associated with AI usage and ensure the output aligns with desired policies and standards.
 28
 29#### Possible investigation steps
 30
 31- Identify the user account that caused multiple model violations over a session without desired guardrail configuration and whether it should perform this kind of action.
 32- Investigate the user activity that might indicate a potential brute force attack.
 33- Investigate other alerts associated with the user account during the past 48 hours.
 34- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
 35- Examine the account's prompts and responses in the last 24 hours.
 36- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
 37
 38### False positive analysis
 39
 40- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
 41
 42### Response and remediation
 43
 44- Initiate the incident response process based on the outcome of the triage.
 45- Disable or limit the account during the investigation and response.
 46- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
 47    - Identify the account role in the cloud environment.
 48    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
 49    - Identify any regulatory or legal ramifications related to this activity.
 50- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 51- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 52- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 53"""
 54references = [
 55    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
 56    "https://atlas.mitre.org/techniques/AML.T0051",
 57    "https://atlas.mitre.org/techniques/AML.T0054",
 58    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 59]
 60risk_score = 47
 61rule_id = "f2c653b7-7daf-4774-86f2-34cdbd1fc528"
 62setup = """## Setup
 63
 64This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
 65
 66https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
 67"""
 68severity = "medium"
 69tags = [
 70    "Domain: LLM",
 71    "Data Source: AWS Bedrock",
 72    "Data Source: AWS S3",
 73    "Resources: Investigation Guide",
 74    "Use Case: Policy Violation",
 75    "Mitre Atlas: T0051",
 76    "Mitre Atlas: T0054",
 77]
 78timestamp_override = "event.ingested"
 79type = "esql"
 80
 81query = '''
 82from logs-aws_bedrock.invocation-*
 83
 84// Create 1-minute time buckets
 85| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)
 86
 87// Filter for invocations without guardrails
 88| where gen_ai.guardrail_id is null and user.id is not null
 89
 90// keep only relevant fields
 91| keep
 92  @timestamp,
 93  Esql.time_window_date_trunc,
 94  gen_ai.guardrail_id,
 95  user.id
 96
 97// count number of unsafe invocations per user
 98| stats
 99    Esql.ml_invocations_no_guardrails_count = count()
100  by user.id
101
102// Filter for suspicious volume
103| where Esql.ml_invocations_no_guardrails_count > 5
104
105// sort descending
106| sort Esql.ml_invocations_no_guardrails_count desc
107'''

Triage and analysis

Investigating AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session

Using Amazon Bedrock Guardrails during model invocation is critical for ensuring the safe, reliable, and ethical use of AI models. Guardrails help manage risks associated with AI usage and ensure the output aligns with desired policies and standards.

Possible investigation steps

  • Identify the user account that caused multiple model violations over a session without desired guardrail configuration and whether it should perform this kind of action.
  • Investigate the user activity that might indicate a potential brute force attack.
  • Investigate other alerts associated with the user account during the past 48 hours.
  • Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
  • Examine the account's prompts and responses in the last 24 hours.
  • If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.

False positive analysis

  • Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Disable or limit the account during the investigation and response.
  • Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
    • Identify the account role in the cloud environment.
    • Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
    • Identify any regulatory or legal ramifications related to this activity.
  • Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
  • Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

References

Related rules

to-top