AWS Bedrock Detected Multiple Validation Exception Errors by a Single User

  1[metadata]
  2creation_date = "2024/09/11"
  3integration = ["aws_bedrock"]
  4maturity = "production"
  5updated_date = "2025/07/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the
 11InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or
 12corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't
 13have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an
 14impact on the environment by incurring exhorbitant costs.
 15"""
 16false_positives = ["Legitimate misunderstanding by users on accessing the bedrock models."]
 17from = "now-60m"
 18interval = "10m"
 19language = "esql"
 20license = "Elastic License v2"
 21name = "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User"
 22note = """## Triage and analysis
 23
 24### Investigating AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
 25
 26Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.
 27
 28Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.
 29
 30#### Possible investigation steps
 31
 32- Identify the user account that caused validation errors in accessing the Amazon Bedrock models.
 33- Investigate other alerts associated with the user account during the past 48 hours.
 34- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
 35- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.
 36- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
 37
 38### False positive analysis
 39
 40- Verify the user account that that caused validation errors is a legitimate misunderstanding by users on accessing the bedrock models.
 41
 42### Response and remediation
 43
 44- Initiate the incident response process based on the outcome of the triage.
 45- Disable or limit the account during the investigation and response.
 46- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
 47    - Identify the account role in the cloud environment.
 48    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
 49    - Identify any regulatory or legal ramifications related to this activity.
 50    - Identify if any implication to resource billing.
 51- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 52- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 53- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 54"""
 55references = [
 56    "https://atlas.mitre.org/techniques/AML.T0015",
 57    "https://atlas.mitre.org/techniques/AML.T0034",
 58    "https://atlas.mitre.org/techniques/AML.T0046",
 59    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 60]
 61risk_score = 73
 62rule_id = "725a048a-88c5-4fc7-8677-a44fc0031822"
 63setup = """## Setup
 64
 65This rule requires that AWS Bedrock Integration be configured. For more information, see the AWS Bedrock integration documentation:
 66
 67https://www.elastic.co/docs/current/integrations/aws_bedrock
 68"""
 69severity = "high"
 70tags = [
 71    "Domain: LLM",
 72    "Data Source: AWS",
 73    "Data Source: AWS Bedrock",
 74    "Data Source: AWS S3",
 75    "Use Case: Policy Violation",
 76    "Mitre Atlas: T0015",
 77    "Mitre Atlas: T0034",
 78    "Mitre Atlas: T0046",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "esql"
 83
 84query = '''
 85from logs-aws_bedrock.invocation-*
 86
 87// Truncate timestamp to 1-minute window
 88| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
 89
 90// Filter for validation exceptions in responses
 91| where gen_ai.response.error_code == "ValidationException"
 92
 93// keep relevant ECS and derived fields
 94| keep
 95  user.id,
 96  gen_ai.request.model.id,
 97  cloud.account.id,
 98  gen_ai.response.error_code,
 99  Esql.time_window_date_trunc
100
101// count number of denials by user/account/time window
102| stats
103    Esql.ml_response_validation_error_count = count(*)
104  by
105    Esql.time_window_date_trunc,
106    user.id,
107    cloud.account.id
108
109// Filter for excessive errors
110| where Esql.ml_response_validation_error_count > 3
111'''
112
113
114
115[rule.investigation_fields]
116field_names = ["target_time_window", "user.id", "cloud.account.id", "total_denials"]