Amazon Bedrock model invocations disabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects when AWS Bedrock model invocation logging is disabled because the logging configuration was deleted.
Strategy
This rule monitors AWS CloudTrail logs for the DeleteModelInvocationLoggingConfiguration event. This action removes audit logging for AWS Bedrock model invocations, eliminating visibility into which models are being used, what prompts are sent, and what responses are generated. Disabling logging is a defense evasion technique that attackers use to hide malicious activity or unauthorized use of AI models after gaining access to an AWS environment.
Triage & Response
- Verify if
{{@userIdentity.arn}} has a legitimate business reason to disable Bedrock model invocation logging in the AWS account. - Review recent Bedrock API activity from the same identity to identify any suspicious model usage patterns before logging was disabled.
- Examine CloudTrail logs for other defense evasion activities from the same identity, such as deleting CloudTrail trails or disabling GuardDuty.
- Check if there are any recent credential compromise indicators for the identity that performed this action.
- Re-enable model invocation logging configuration to restore audit visibility for AWS Bedrock operations.
