AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/05/02"
3integration = ["aws_bedrock"]
4maturity = "production"
5updated_date = "2025/09/25"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated
11attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring
12exhorbitant costs.
13"""
14false_positives = ["Legitimate misunderstanding by users or overly strict policies"]
15from = "now-60m"
16interval = "10m"
17language = "esql"
18license = "Elastic License v2"
19name = "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User"
20note = """## Triage and analysis
21
22### Investigating AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
23
24Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.
25
26Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.
27
28#### Possible investigation steps
29
30- Identify the user account that attempted to use denied models.
31- Investigate other alerts associated with the user account during the past 48 hours.
32- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
33- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.
34- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
35
36### False positive analysis
37
38- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.
39
40### Response and remediation
41
42- Initiate the incident response process based on the outcome of the triage.
43- Disable or limit the account during the investigation and response.
44- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
45 - Identify the account role in the cloud environment.
46 - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
47 - Identify any regulatory or legal ramifications related to this activity.
48- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
49- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
50- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
51"""
52references = [
53 "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
54 "https://atlas.mitre.org/techniques/AML.T0015",
55 "https://atlas.mitre.org/techniques/AML.T0034",
56 "https://www.elastic.co/security-labs/elastic-advances-llm-security",
57]
58risk_score = 73
59rule_id = "17261da3-a6d0-463c-aac8-ea1718afcd20"
60setup = """## Setup
61
62This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
63
64https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
65"""
66severity = "high"
67tags = [
68 "Domain: LLM",
69 "Data Source: AWS Bedrock",
70 "Data Source: AWS S3",
71 "Resources: Investigation Guide",
72 "Use Case: Policy Violation",
73 "Mitre Atlas: T0015",
74 "Mitre Atlas: T0034",
75]
76timestamp_override = "event.ingested"
77type = "esql"
78
79query = '''
80from logs-aws_bedrock.invocation-*
81
82// Filter for access denied errors from GenAI responses
83| where gen_ai.response.error_code == "AccessDeniedException"
84
85// keep ECS and response fields
86| keep
87 user.id,
88 gen_ai.request.model.id,
89 cloud.account.id,
90 gen_ai.response.error_code
91
92// count total denials per user/model/account
93| stats
94 Esql.ml_response_access_denied_count = count(*)
95 by
96 user.id,
97 gen_ai.request.model.id,
98 cloud.account.id
99
100// Filter for users with repeated denials
101| where Esql.ml_response_access_denied_count > 3
102
103// sort by volume of denials
104| sort Esql.ml_response_access_denied_count desc
105'''
106
107
108
109[rule.investigation_fields]
110field_names = ["user.id", "cloud.account.id", "gen_ai.request.model.id", "total_denials"]
Triage and analysis
Investigating AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.
Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.
Possible investigation steps
- Identify the user account that attempted to use denied models.
- Investigate other alerts associated with the user account during the past 48 hours.
- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.
- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
False positive analysis
- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.
Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Disable or limit the account during the investigation and response.
- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
- Identify the account role in the cloud environment.
- Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
- Identify any regulatory or legal ramifications related to this activity.
- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
References
-
-
Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.
Read More
Related rules
- AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
- AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
- AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
- Potential Abuse of Resources by High Token Count and Large Response Sizes
- Azure OpenAI Insecure Output Handling