| ID | Technique | Tactic |
|---|---|---|
| T1599 | Network Boundary Bridging | Defense Impairment |
Detection: AWS Bedrock Claude Cross Region Possible Inference Abuse
Description
This detection identifies potential cross-region inference abuse in AWS Bedrock Claude models. Cross-region inference abuse may indicate attempts to bypass regional restrictions, exfiltrate data, or perform unauthorized actions across different AWS regions.
Search
1`aws_bedrock_claude`
2
3| rename "identity.arn" AS user_arn
4
5| rename "input.inputTokenCount" AS input_tokens
6
7| rename "output.outputTokenCount" AS output_tokens
8
9| rex field=user_arn "assumed-role/[^/]+/(?<user>[^\"]+)$"
10
11| rex field="input.inputBodyJson.metadata.user_id" "(?<session_user>user_[^_]+.*)"
12
13| eval input_tokens=tonumber(input_tokens)
14
15| eval output_tokens=tonumber(output_tokens)
16
17| eval token_ratio=round(output_tokens / max(input_tokens,1), 2)
18
19| eval model_short=replace(modelId,"^.*/","")
20
21| eval mismatch_detail=region." -> ".inferenceRegion
22
23| where isnotnull(user_arn) AND len(user_arn)>10
24
25| where isnotnull(session_user)
26
27| where region!=inferenceRegion
28
29| where input_tokens>=2000
30
31| table _time, user, user_arn, session_user, model_short, input_tokens, output_tokens, token_ratio, mismatch_detail, operation, host
32
33| sort - input_tokens
34
35| `aws_bedrock_claude_cross_region_possible_inference_abuse_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS Bedrock Claude | 'json_no_timestamp' |
'aws_bedrock' |
Macros Used
| Name | Value |
|---|---|
| aws_bedrock_claude | (sourcetype="json_no_timestamp") |
| aws_bedrock_claude_cross_region_possible_inference_abuse_filter | search * |
aws_bedrock_claude_cross_region_possible_inference_abuse_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the aws_bedrock_claude macro to point to the index and sourcetype (json_no_timestamp) where these logs land.
Known False Positives
False positives may arise from legitimate use cases where users are accessing AWS Bedrock Claude models across different regions for valid reasons, such as multi-region deployments, testing, or development purposes. It is important to review the context of the detected events to determine if they represent actual abuse or benign usage.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Cross-region inference abuse detected from $user$ ($session_user$) using model $model_short$ with region mismatch $mismatch_detail$ and $input_tokens$ input tokens on $host$. | user | user | 20 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
| Integration | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 1