AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
editAWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
editIdentifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.
Rule type: esql
Rule indices: None
Severity: medium
Risk score: 47
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: LLM
- Data Source: AWS Bedrock
- Data Source: AWS S3
- Resources: Investigation Guide
- Use Case: Policy Violation
- Mitre Atlas: T0051
- Mitre Atlas: T0054
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
Rule query
editfrom logs-aws_bedrock.invocation-* | where gen_ai.compliance.violation_detected | stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id | where violations > 1 | sort violations desc