No potential LLM jacking activity detected in CloudTrail
cloudtrail_threat_detection_llm_jacking
CloudTrail Bedrock activity is analyzed per identity for a high diversity of LLM-related API calls (e.g., InvokeModel, InvokeModelWithResponseStream, GetFoundationModelAvailability). If an identity's share of these actions exceeds a configured threshold over a recent window, it is surfaced as potential LLM-jacking behavior.
Risk
Such patterns suggest stolen credential abuse to drive LLM usage.
- Availability: cost exhaustion and service disruption
- Confidentiality: leakage of prompts/outputs and model settings
- Integrity: misuse of permissions for broader access Attackers may use reverse proxies to resell access and obfuscate sources.
prowler aws --checks cloudtrail_threat_detection_llm_jacking
prowler aws --checks cloudtrail_threat_detection_llm_jacking --fixer
Recommendation
Apply least privilege to Bedrock; restrict Invoke* only to required roles and deny broadly via SCPs where unused. Enforce MFA and short-lived creds; rotate/remove exposed keys. Enable model invocation logging and budgets/quotas. Continuously monitor for Bedrock enumeration plus invoke bursts. Use defense in depth across identities and networks.
Remediation
- In the AWS Console, go to Organizations > Policies > Service control policies
- Click Create policy
- Set Name to <example_resource_name>
- In Policy, paste a deny for Bedrock: { "Version": "2012-10-17", "Statement": [{"Sid":"DenyBedrock","Effect":"Deny","Action":"bedrock:","Resource":""}] }
- Save the policy and click Attach
- Select the target (Root, OU, or the affected account ID <example_resource_id>) and attach the policy
- Wait for propagation; no further Bedrock calls will occur, and the finding will clear after the detection window elapses
Source Code
Resource Type
AwsCloudTrailTrail