Bedrock model shared with a foreign account

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

AIDR

Detector Tags

Cloud AI Infrastructure Analytics

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

A bedrock model was shared with a foreign account through AWS resource access manager.

Attacker's Goals

Exfiltrate the proprietary model to a foreign account and establish persistent access to it.

Investigative actions

  • Investigate the foreign cloud accounts that gained access to the models.
  • Assess the sensitivity of the shared models to determine the potential impact of this exposure.
  • Identify the actor and investigate their identity for compromise.