Unusual AWS Bedrock model access request

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-27
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

AIDR

Detector Tags

Cloud AI Infrastructure Analytics

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts: Cloud Accounts (T1078.004)

Severity

Informational

Description

A cloud identity requested access to an AWS Bedrock model.
MITRE ATLAS Technique: AML.T0012 - Valid Accounts.

Attacker's Goals

Gain access to cloud AI/ML resources and services.

Investigative actions

  • Examine which AWS Bedrock models were affected.
  • Investigate any unusual activity originating from the suspected identity.