AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

edit

AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

edit

Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.

Rule type: esql

Rule indices: None

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: LLM
  • Data Source: AWS Bedrock
  • Data Source: AWS S3
  • Resources: Investigation Guide
  • Use Case: Policy Violation
  • Mitre Atlas: T0051
  • Mitre Atlas: T0054

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Setup

This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:

https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html

Rule query

edit
from logs-aws_bedrock.invocation-*
| where gen_ai.policy.action == "BLOCKED"
| eval policy_violations = mv_count(gen_ai.policy.name)
| where policy_violations > 1
| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id
| sort total_unique_request_violations desc