Amazon Bedrock has rapidly become a foundational platform for building enterprise generative AI applications, providing access to foundation models alongside services such as Agents, Knowledge Bases, Guardrails, Flows, Managed Prompts, and AgentCore. While these capabilities accelerate AI adoption, they also significantly expand the cloud attack surface by introducing new administrative components that interact with AWS services including IAM, Amazon S3, AWS Lambda, vector databases, and external APIs.
Recent security research demonstrates that attackers rarely target the foundation models themselves. Instead, they focus on the surrounding AWS infrastructure and management plane by abusing compromised identities, excessive IAM permissions, and AI application configurations. Documented attack techniques include LLMjacking (unauthorized model usage resulting in excessive cloud costs), modification of Agents, Knowledge Bases, Guardrails, Managed Prompts, and Flows, creation of persistent Bedrock API credentials, manipulation of Retrieval-Augmented Generation (RAG) data sources, and abuse of AgentCore runtime capabilities. Adversaries may also attempt to reduce visibility by modifying Model Invocation Logging or accessing and deleting associated logs.
From a defender's perspective, the greatest risk lies in unauthorized changes to AI infrastructure rather than model inference itself. Effective monitoring should prioritize administrative configuration changes, anomalous model usage, IAM activity, logging configuration, and access to Model Invocation Logs. Correlating these telemetry sources provides the best opportunity to identify credential compromise, AI infrastructure tampering, data exfiltration, and LLMjacking before they lead to operational or financial impact.
Detections (10)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- Bedrock Guardrail Deleted
- Suspicious AWS Bedrock Agent Create - Update With Offensive Tooling Indicators
- Bedrock Logging Check Followed by Invocation Burst
- Foundation Model Access Newly Granted
- Bedrock Agent Definition or Action Group Modified
- Managed Prompt or Flow Created or Modified
- Persistent Bedrock API Credential or Access Key Created
- AgentCore Runtime Created or Abused
- Model Invocation Logs Accessed or Deleted