-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(aws): add checks for Bedrock logging configuration and CloudTrail LLM Jacking detection #5314
feat(aws): add checks for Bedrock logging configuration and CloudTrail LLM Jacking detection #5314
Conversation
You can check the documentation for this PR here -> Prowler Documentation |
You can check the documentation for this PR here -> Prowler Documentation |
...loudtrail/cloudtrail_threat_detection_enumeration/cloudtrail_threat_detection_enumeration.py
Outdated
Show resolved
Hide resolved
You can check the documentation for this PR here -> Prowler Documentation |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5314 +/- ##
=======================================
Coverage 89.38% 89.38%
=======================================
Files 1018 1022 +4
Lines 31278 31373 +95
=======================================
+ Hits 27959 28044 +85
- Misses 3319 3329 +10 ☔ View full report in Codecov by Sentry. |
…ng-on-aws-gen-ai-service
You can check the documentation for this PR here -> Prowler Documentation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! 👍
Context
This pull request introduces two new security checks aimed at enhancing AWS Bedrock and CloudTrail monitoring to detect and prevent LLMJacking attacks.
These attacks involve the exploitation of stolen credentials to hijack cloud-hosted large language models (LLMs), such as those provided by AWS Bedrock, leading to unauthorized access, excessive financial costs, and potential data exfiltration.
The two proposed checks
bedrock_model_invocation_logging_enabled
andcloudtrail_threat_detection_llm_jacking
are designed to ensure proper logging configurations are in place and monitor for suspicious activities related to potential LLMJacking threats.Description
bedrock_model_invocation_logging_enabled
:This check ensures that AWS Bedrock model invocation logging is properly enabled across all active regions. Logging model usage is essential for visibility into AI operations, capturing inputs and outputs, and detecting unauthorized access or misuse of resources. It ensures that logs are being routed to CloudWatch or S3 for detailed monitoring and analysis.
cloudtrail_threat_detection_llm_jacking
:This check monitors CloudTrail logs for suspicious API calls related to AWS Bedrock, such as
InvokeModel
,PutUseCaseForModelAccess
, andGetFoundationModelAvailability
. These API calls can be used by attackers in LLMJacking attempts to hijack AI model resources. This check helps detect unauthorized access attempts, abnormal usage patterns, and possible resource hijacking incidents.Together, these checks provide a comprehensive approach to securing AI model operations in AWS, ensuring proper logging and detecting threats in real-time.
Checklist
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.