Bedrock Slip: Sysdig TRT Discovers CloudTrail Logging Missteps

The Sysdig Threat Research Team (TRT) discovered an issue with the logging of Amazon Bedrock API calls in CloudTrail, where both successful and failed calls were logged without error codes, potentially leading to false positives and complicating security efforts. This lack of error information in API responses could result in unnecessary alerts and obscure genuine threats, especially in distinguishing legitimate queries from reconnaissance attempts by attackers. Upon reporting the issue, AWS quickly addressed it, but the TRT noted discrepancies in logging behavior between CLI commands and the Python SDK, which AWS clarified as intended but undocumented. The investigation revealed that client-side validation of API parameters, particularly in the Converse API, can prevent logging of invalid requests in CloudTrail, although this does not pose a security threat since client-side validation occurs before authentication checks. The main consequence of this logging issue was the difficulty in distinguishing between successful and unsuccessful API calls, which is crucial for troubleshooting and security investigations, as attackers could exploit this by generating client errors to test access to LLMs without triggering alarms.