AWS guardduty medium security documentation change
Summary
Added new GuardDuty finding type 'DefenseEvasion:IAMUser/BedrockLoggingDisabled' to detect disabling of Amazon Bedrock logging. Updated documentation with remediation recommendations and security implications.
Security assessment
The change introduces documentation for a new security finding related to Bedrock logging being disabled, which is explicitly described as a potential attacker action to hide malicious activity. This directly addresses security monitoring for defense evasion tactics.
Diff
diff --git a/guardduty/latest/ug/guardduty_finding-types-iam.md b/guardduty/latest/ug/guardduty_finding-types-iam.md index 8115d5efc..d22fcc028 100644 --- a//guardduty/latest/ug/guardduty_finding-types-iam.md +++ b//guardduty/latest/ug/guardduty_finding-types-iam.md @@ -5 +5 @@ -CredentialAccess:IAMUser/AnomalousBehaviorDefenseEvasion:IAMUser/AnomalousBehaviorDiscovery:IAMUser/AnomalousBehaviorExfiltration:IAMUser/AnomalousBehaviorImpact:IAMUser/AnomalousBehaviorInitialAccess:IAMUser/AnomalousBehaviorPenTest:IAMUser/KaliLinuxPenTest:IAMUser/ParrotLinuxPenTest:IAMUser/PentooLinuxPersistence:IAMUser/AnomalousBehaviorPolicy:IAMUser/RootCredentialUsagePolicy:IAMUser/ShortTermRootCredentialUsagePrivilegeEscalation:IAMUser/AnomalousBehaviorRecon:IAMUser/MaliciousIPCallerRecon:IAMUser/MaliciousIPCaller.CustomRecon:IAMUser/TorIPCallerStealth:IAMUser/CloudTrailLoggingDisabledStealth:IAMUser/PasswordPolicyChangeUnauthorizedAccess:IAMUser/ConsoleLoginSuccess.BUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWSUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWSUnauthorizedAccess:IAMUser/MaliciousIPCallerUnauthorizedAccess:IAMUser/MaliciousIPCaller.CustomUnauthorizedAccess:IAMUser/TorIPCaller +CredentialAccess:IAMUser/AnomalousBehaviorDefenseEvasion:IAMUser/AnomalousBehaviorDefenseEvasion:IAMUser/BedrockLoggingDisabledDiscovery:IAMUser/AnomalousBehaviorExfiltration:IAMUser/AnomalousBehaviorImpact:IAMUser/AnomalousBehaviorInitialAccess:IAMUser/AnomalousBehaviorPenTest:IAMUser/KaliLinuxPenTest:IAMUser/ParrotLinuxPenTest:IAMUser/PentooLinuxPersistence:IAMUser/AnomalousBehaviorPolicy:IAMUser/RootCredentialUsagePolicy:IAMUser/ShortTermRootCredentialUsagePrivilegeEscalation:IAMUser/AnomalousBehaviorRecon:IAMUser/MaliciousIPCallerRecon:IAMUser/MaliciousIPCaller.CustomRecon:IAMUser/TorIPCallerStealth:IAMUser/CloudTrailLoggingDisabledStealth:IAMUser/PasswordPolicyChangeUnauthorizedAccess:IAMUser/ConsoleLoginSuccess.BUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWSUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWSUnauthorizedAccess:IAMUser/MaliciousIPCallerUnauthorizedAccess:IAMUser/MaliciousIPCaller.CustomUnauthorizedAccess:IAMUser/TorIPCaller @@ -20,0 +21,2 @@ For all IAM-related findings, we recommend that you examine the entity in questi + * DefenseEvasion:IAMUser/BedrockLoggingDisabled + @@ -81 +83 @@ This finding informs you that an anomalous API request was observed in your acco -This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). +This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). @@ -100 +102,18 @@ This finding informs you that an anomalous API request was observed in your acco -This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). +This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). + +**Remediation recommendations:** + +If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](./compromised-creds.html). + +## DefenseEvasion:IAMUser/BedrockLoggingDisabled + +### Logging for Amazon Bedrock was disabled. + +**Default severity: Medium** + + * **Data source:** CloudTrail management events + + + + +This finding informs you that logging was disabled for Bedrock model invocations in your account. This can be an attacker's attempt to hide malicious activity like data exfiltration or abuse of AI models. Disabling logging removes visibility into the data sent to models and how the models are used. @@ -119 +138 @@ This finding informs you that an anomalous API request was observed in your acco -This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). +This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). @@ -138 +157 @@ This finding informs you that an anomalous API request was observed in your acco -This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). +This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). @@ -157 +176 @@ This finding informs you that an anomalous API request was observed in your acco -This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). +This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). @@ -176 +195 @@ This finding informs you that an anomalous API request was observed in your acco -This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). +This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). @@ -246 +265 @@ This finding informs you that an anomalous API request was observed in your acco -This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). +This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). @@ -305 +324 @@ This finding informs you that an anomalous API request was observed in your acco -This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous). +This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the [finding details](https://docs.aws.amazon.com//guardduty/latest/ug/guardduty_findings-summary.html#finding-anomalous).