Skip to content

Bedrock or Bedsand: Attacking Amazon Bedrock’s Achilles Heel

Original URL: https://www.mitigant.io/en/blog/bedrock-or-bedsand-attacking-amazon-bedrocks-achilles-heel

Introduction

Amazon Bedrock simplifies the development of Generative AI (GenAI) applications by providing access to various Foundation Models (FMs) and tools like Retrieval Augmented Generation (RAG). However, its reliance on AWS S3 as a primary data source introduces security vulnerabilities. This article explores these attack vectors, focusing on data poisoning, denial of service, and S3 ransomware, and provides insights into detection and mitigation strategies.

Amazon Bedrock and Retrieval Augmented Generation (RAG)

  • Amazon Bedrock allows developers to easily access and utilize Foundation Models (FMs) from leading AI companies.
  • It abstracts the complexities of GenAI, enabling developers to build applications with minimal AI expertise.
  • Retrieval Augmented Generation (RAG) is a key technique used by Bedrock to enhance the accuracy and relevance of LLM responses by retrieving information from external data sources.
  • RAG improves the performance of LLMs in specific domains, such as internal knowledge bases and specialized chatbots.
  • Bedrock's RAG implementation involves query processing, data retrieval from sources like S3, and response generation using retrieved data.

Bedrock’s Architecture and S3 Dependence

  • Amazon Bedrock's architecture uses S3 for storing and retrieving documents used by LLMs.
  • Bedrock Agents interact with the Knowledge Base to retrieve necessary information from S3.
  • The Knowledge Base manages and organizes data, using S3 as a primary data source for storing documents in various formats.
  • Vector databases like Amazon OpenSearch and Amazon Kendra are integrated to enhance data retrieval and processing.

Attack Vectors Exploiting S3 Data Sources

  • The use of S3 as a data source introduces both S3-specific and Bedrock-specific risks. The convenience of uploading documents to S3 is countered by the shared responsibility model, where organizations are responsible for S3 security.
  • Attackers can exploit S3 vulnerabilities to conduct data poisoning, denial of service, and S3 ransomware attacks.

Poisoning Training Data (MITRE ATLAS AML.T0020)

  • Adversaries can access S3 buckets containing RAG documents and inject malicious or nonsensical data, corrupting the LLM and compromising output quality.
  • This can lead to Bedrock agents providing inaccurate or harmful responses.
  • Impact: Compromised business operations and loss of user trust.

Data from Information Repositories (MITRE ATLAS AML.T0036)

  • Unauthorized access to S3 buckets can expose sensitive information such as intellectual property and internal company data.
  • This aligns with OWASP Top 10 LLMs - LLM06.
  • Impact: Intellectual property theft, competitive disadvantage, and reputational damage.

Denial of ML Service (MITRE ATLAS AML.T0029)

  • Adversaries can disrupt GenAI services by launching attacks such as ransomware or resource exhaustion.
  • S3 ransomware attacks can deny legitimate access to documents. Attackers can also delete the documents, causing a bucket takeover.
  • This results in a denial of service, listed in the OWASP Top 10 LLMs - (LLM04).
  • Impact: Service downtime, business disruption, loss of customer trust, financial losses, and legal issues.

Detection and Mitigation Strategies

  • Regular Audits and Monitoring: Conduct frequent audits of S3 bucket configurations and access policies. Security tools like CSPMs and ITDRs can be helpful.
  • Threat Detection: Continuously collect and analyze CloudTrail events, including ListDataSources, ListAgents, GetDatasource, GetKnowledgeBase, ListFoundationModels, and GetAgent.
  • Data Encryption: Encrypt data at rest and in transit. Integrate encryption into the data retrieval and analysis process, and use efficient key management with AWS Secret Manager.
  • Access Controls: Implement the principle of least privilege to prevent unauthorized access to S3 buckets.
  • Adversary Emulation & Red Teaming: Validate the security posture of GenAI by leveraging adversary emulation approaches. Mitigant Cloud Attack Emulation can be used to simulate attacks.

GenAI Workload Security with Mitigant

  • The Mitigant Cloud Security Platform protects GenAI cloud workloads from malicious attacks.
  • Mitigant Cloud Attack Emulation provides attacks that can be used for adversary emulation exercises and incident response.
  • Mitigant CSPM checks GenAI workloads for misconfigured resources and uses cloud drift management for quick attack detection.

Conclusion

Amazon Bedrock simplifies the deployment of GenAI applications but introduces security risks through its reliance on AWS S3. Understanding and mitigating these risks is crucial for maintaining a strong security posture. Countermeasures such as regular audits, threat detection, data encryption, strict access controls, and adversary emulation are recommended.