Amazon Bedrock discovery attempt by long term access key

Docs > Plateforme de sécurité Datadog > OOTB Rules > Amazon Bedrock discovery attempt by long term access key

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect unauthorized attempts to discover Amazon Bedrock models and training jobs using long-term AWS access keys.

Strategy

Monitor CloudTrail and unauthorized attempts to discover Amazon Bedrock models or training jobs.

ListModels
DescribeModel
ListTrainingJobs
DescribeTrainingJob

These attempts were explicitly denied due to lack of permissions, indicating potential unauthorized enumeration of machine learning resources. If successful, an attacker can locate data sources for self-hosted models such as an S3 bucket, then exfiltrate potentially sensitive data from these sources.

Triage and response

Determine if the API call ({{@evt.name}}) should have been made by the user ({{@userIdentity.arn}}) from this IP address ({{@network.client.ip}}).
If the action is legitimate, consider including the user in a suppression list. For more information, see Best practices for creating detection rules with Datadog Cloud SIEM.
If the action shouldn’t have happened:
- Contact the user: {{@userIdentity.arn}} and see if they made the API call.
- Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
- Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
If the results of the triage indicate that an attacker has taken the action, initiate your company’s incident response process, as well as an investigation.