Securing Your Amazon Bedrock Environments With Prowler

This research highlights security concerns and best practices around sensitive information handling and guardrail usage in Amazon Bedrock. Amazon Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies through a single API, along with a broad set of capabilities you need to build generative AI applications.

The findings show how sensitive information can be exposed in logs, and provide recommendations to enhance security by ensuring proper encryption, access control, and guardrail configurations.

This article along with the checks has been written thanks to some pretty good conversations with a great Amazonian and better friend of Prowler Jonathan Jenkyn.

Sensitive Information in Bedrock Logs

When Bedrock’s guardrails block a message or mask personal information like Personally Identifiable Information (PII), sensitive data, such as user input and model responses, is still stored in plain text in the logs. This presents a risk if the logs are accessed by unauthorized users.

Plain text logging example

When a user inputs sensitive data, such as a credit card number, the guardrail may block the message. However, both the user input and the model’s response are logged in clear text.

{
    "role": "assistant",
    "content": [
        {
            "guardContent": {
                "text": {
                    "text": "Hi, how can I help you?",
                    "qualifiers": [
                        "guard_content"
                    ]
                }
            }
        }
    ]
},
{
    "role": "user",
    "content": [
        {
            "guardContent": {
                "text": {
                    "text": "my card number is 370458570448425",
                    "qualifiers": [
                        "guard_content"
                    ]
                }
            }
        }
    ]
}

Even when the guardrail detects and anonymizes sensitive information such as a credit card number, the full message content is logged, exposing the original sensitive data:

{
    "output": {
        "message": {
            "role": "assistant",
            "content": [
                {
                    "text": "You mentioned it earlier: {CREDIT_DEBIT_CARD_NUMBER}. However, I want to remind you that it's generally not a good idea to share your card number publicly, as it can be a security risk."
                }
            ]
        }
    },
    "stopReason": "guardrail_intervened",
    "trace": {
        "guardrail": {
            "modelOutput": [
                "You mentioned it earlier: 370458570448425. However, I want to remind you that it's generally not a good idea to share your card number publicly..."
            ],
            "sensitiveInformationPolicy": {
                "piiEntities": [
                    {
                        "type": "CREDIT_DEBIT_CARD_NUMBER",
                        "match": "370458570448425",
                        "action": "ANONYMIZED"
                    }
                ]
            }
        }
    }
}

Remediation

The following guidance and related new Prowler checks for Bedrock security features are designed to combat the risks of this source of sensitive information.

Ensure Log Encryption and Access Control

To mitigate risks associated with sensitive data exposure in logs, it’s essential to encrypt logs and implement access control policies to restrict access to authorized users only.

Encryption:

Ensure that logs are encrypted using AWS Key Management Service (KMS) to protect data at rest. Validate by using the cloudwatch_log_group_kms_encryption_enabled prowler check and using server-side encryption for S3.

Access Control:

CloudWatch Logs: Use the cloudwatch_log_group_not_publicly_accessible check to ensure that CloudWatch log groups are not publicly accessible.

S3 Logs: Ensure that logs stored in S3 are private by using s3_bucket_public_access to warn of any public bucket configuration. Setting the AWS Bucket PublicAccessBlock configuration is recommended for these types of bucket.

Detect Sensitive Information in Logs

Automated tools like Amazon Macie can help detect and prevent sensitive data exposure in logs. Macie automatically scans S3 logs for PII (personally identifiable information) and other sensitive data:

Enable Automated Discovery:
Use check macie_automated_sensitive_data_discovery_enabled to enforce usage of Macie’s sensitive data discovery in S3.

Alert on Discovered PII

Strengthen your data security by proactively monitoring and alerting on sensitive information in your logs:

• Monitor CloudWatch Logs: Use the cloudwatch_log_group_no_secrets_in_logs check to identify and alert your team if secret information, such as credentials or PII, is found in CloudWatch logs.
• Enhance Detection with Amazon Macie: Export your CloudWatch logs to S3 and enable Macie using the macie_is_enabled and macie_automated_sensitive_data_discovery_enabled checks. This ensures automated detection of sensitive data, including personal and financial information, within your logs.

This approach enhances visibility and enables swift action to protect against potential data exposure.

Prevent Cross-Service Impersonation

To avoid cross-service impersonation attacks (also known as confused deputy attacks), you should configure policies attached to Amazon Bedrock service roles to restrict unauthorized service interactions.

Prevent Cross-Service Impersonation: Use the iam_role_cross_service_confused_deputy_prevention check to ensure your roles are not susceptible to cross-service impersonation.

Protect Agent Sessions with Guardrails

Properly configured guardrails are essential for protecting agent sessions in Amazon Bedrock. Guardrails prevent the misuse of the AI model by filtering and blocking harmful or sensitive inputs during agent interactions.

Ensure Guardrails are Enabled: Use the bedrock_agent_guardrail_enabled check to verify that Guardrails are in place for all agent sessions.

As well as the Amazon Bedrock checks in Prowler demonstrated above, there is now a gen-ai category to easily find security checks related to AI, Machine Learning and LLM training services across all supported cloud providers. You can use this like any other prowler category:

prowler aws --categories gen-ai -l #list
prowler aws --categories gen-ai #scan

Conclusion

To enhance the security of Amazon Bedrock and prevent sensitive data exposure consider the following guidance:

• Encrypt logs using KMS and ensure they are not publicly accessible.
• Restrict access to logs, ensuring only authorized users can view them.
• Use tools like Amazon Macie and CloudWatch alerts to detect sensitive data in logs.
• Configure guardrails to protect agent sessions and prevent harmful inputs.
• Prevent cross-service impersonation by applying proper IAM policies.
• Use a cloud security tool like Prowler to prevent changes to these security configurations and ensure compliance.

By following these recommendations, you can reduce security risks and maintain strong data protection practices in your Amazon Bedrock environment.