Amazon Bedrock console activity using a long-term access key
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when there is an attempt to access console-only API calls through a long-term access key.
Strategy
Monitor CloudTrail and detect when there is an attempt to make API calls to console-only APIs. This means they shouldn’t be originating from a long-term access key. Attackers target the AWS Bedrock service generally for the purpose of hosting their own LLM service using the victim’s resources.
Triage and response
- Determine if the API call (
{{@evt.name}}
) should have been made by the user ({{@userIdentity.arn}}
) from this IP address ({{@network.client.ip}}
). - If the action is legitimate, consider including the user in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
- If the action shouldn’t have happened:
- Contact the user:
{{@userIdentity.arn}}
and see if they made the API call. - Use the Cloud SIEM - User Investigation dashboard to see if the user
{{@userIdentity.arn}}
has taken other actions. - Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP
{{@network.client.ip}}
.
- If the results of the triage indicate that an attacker has taken the action, initiate your company’s incident response process, as well as an investigation.