
Summary
This rule detects exposure of sensitive data within prompts sent to AWS Bedrock Claude models. It ingests Bedrock model invocation logs (via CloudWatch/S3 ingestion) and extracts the invoking user identity (user_arn), account context (account_id), target model (modelId), and the prompt text (prompt_text). It then applies a comprehensive set of regex checks to identify credentials and secrets embedded in prompts, including cloud/API keys (e.g., AKIA, ghp_*, xoxb-*, sk_live_*, AIza*), private keys (-----BEGIN PRIVATE KEY-----), common credential keywords (password, secret, api_key, access_key, private_key), Bearer tokens, SSNs, and credit card numbers (Visa/Mastercard/Discover/AmEx formats). If any match is found, an intermediate finding is produced highlighting the host, user ARN, account, model, and the prompt text, signaling potential data loss, credential leakage, or insider threat activity through model prompts. The rule captures the risk surface of prompt-based data exfiltration by correlating user, host, and model context, enabling security teams to investigate whether sensitive data was included in a prompt either accidentally or maliciously. The analytic story labels the activity as Suspicious AWS Bedrock Claude Activities, and the rule is designed to minimize false positives by contextually reviewing the prompt content (recognizing legitimate testing or demonstration prompts as a potential cause). It also references Bedrock model invocation logging and Splunk ingestion steps to enable deployment in a Splunk environment, including enabling Bedrock invocation logging and using the aws_bedrock_claude macro for efficient querying. While effective, some false positives can occur in legitimate testing scenarios, which should be reviewed in context of the surrounding activity and business justification.
Categories
- AWS
- Cloud
- Application
- Web
Data Sources
- Cloud Service
ATT&CK Techniques
- T1055
Created: 2026-07-07