heroui logo

AWS Bedrock Claude Possible Prompt Injection

Splunk Security Content

View Source
Summary
This hunting rule surfaces prompts observed in AWS Bedrock Claude interactions that resemble prompt injection or jailbreak attempts. It analyzes Bedrock model invocation logs to identify phrases and patterns that attempt to override safety boundaries, switch personas, or elicit information that the model would ordinarily withhold. The detection normalizes the prompt content from Bedrock messages and creates a prompt_text signature. It flags signals including: (a) override/ignore/disregard/forget instructions or rules, (b) jailbreak or unrestricted mode terms (e.g., jailbre ak, DAN mode, do anything now, no filters), (c) prompts attempting to reveal system prompts or instruction sets, (d) references to new personas or roleplay directives, and (e) weak signals such as “you must” or “act as” that, when combined, suggest steering the model toward unsafe behavior. The rule aggregates signals and triggers when any of the following occur: a direct override/jailbreak signal, two or more competing indicators, or a probe indicating intent to surface hidden prompts. This is a hunting rule rather than a pure anomaly detector because benign prompts routinely include similar phrases in legitimate contexts (system prompts, training examples, or creative writing). When a match occurs, analysts are advised to examine the surrounding conversation, the message role (system vs user vs tool output), and whether the phrase appears mid-conversation rather than in an expected system prompt. The rule guides responders to pivot into the broader dialogue and corroborate with additional signals such as follow-on attempts, or data exfiltration and privilege escalation requests. Implementation assumes logging of Bedrock model invocations to a centralized store (via AWS Bedrock logging to S3/CloudWatch), ingestion into Splunk with the aws_bedrock_claude_possible_prompt_injection_filter macro, and correlation with conversation context. The approach balances risk detection with a high benign-base rate by requiring multiple corroborating indicators before treating a hit as suspicious. The included testing data uses a true-positive dataset to validate detections against real-world prompt injection attempts, aiding tuning and reducing false positives over time.
Categories
  • Cloud
  • Web
  • Application
Data Sources
  • Application Log
  • Cloud Service
  • Cloud Storage
  • Application Log
  • Cloud Service
  • Cloud Storage
ATT&CK Techniques
  • T1055
Created: 2026-07-07