Amazon Bedrock model invocations disabled

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when AWS Bedrock model invocation logging is disabled because the logging configuration was deleted.

Strategy

This rule monitors AWS CloudTrail logs for the DeleteModelInvocationLoggingConfiguration event. This action removes audit logging for AWS Bedrock model invocations, eliminating visibility into which models are being used, what prompts are sent, and what responses are generated. Disabling logging is a defense evasion technique that attackers use to hide malicious activity or unauthorized use of AI models after gaining access to an AWS environment.

Triage & Response

  • Verify if {{@userIdentity.arn}} has a legitimate business reason to disable Bedrock model invocation logging in the AWS account.
  • Review recent Bedrock API activity from the same identity to identify any suspicious model usage patterns before logging was disabled.
  • Examine CloudTrail logs for other defense evasion activities from the same identity, such as deleting CloudTrail trails or disabling GuardDuty.
  • Check if there are any recent credential compromise indicators for the identity that performed this action.
  • Re-enable model invocation logging configuration to restore audit visibility for AWS Bedrock operations.