EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

AWS Bedrock High Number List Foundation Model Failures

The following analytic identifies an high number of AccessDenied attempts to list AWS Bedrock foundation models. It leverages AWS CloudTrail logs to detect when a user or service experiences multiple failures when calling the ListFoundationModels API. This activity is significant as it may indicate an adversary performing reconnaissance of available AI models after compromising credentials with limited permissions. Repeated failures could suggest brute force attempts to enumerate accessible resources or misconfigured access controls. If confirmed malicious, this could represent early-stage reconnaissance before attempting to access or manipulate Bedrock models or knowledge bases.

MITRE ATT&CK

T1580

Detection Query

`cloudtrail` eventSource=bedrock.amazonaws.com eventName=ListFoundationModels errorCode=AccessDenied  | rename user_name as user | stats count min(_time) as firstTime max(_time) as lastTime values(errorCode) as errorCodes values(errorMessage) as errorMessages by src user user_agent vendor_account vendor_product dest signature vendor_region | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_bedrock_high_number_list_foundation_model_failures_filter`

Author

Bhavin Patel, Splunk

Created

2026-03-10

Data Sources

AWS CloudTrail

References

Tags

AWS Bedrock Security
Raw Content
name: AWS Bedrock High Number List Foundation Model Failures
id: e84b3c74-f742-11ee-9f6e-acde48001122
version: 4
date: '2026-03-10'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: The following analytic identifies an high number of AccessDenied attempts to list AWS Bedrock foundation models. It leverages AWS CloudTrail logs to detect when a user or service experiences multiple failures when calling the ListFoundationModels API. This activity is significant as it may indicate an adversary performing reconnaissance of available AI models after compromising credentials with limited permissions. Repeated failures could suggest brute force attempts to enumerate accessible resources or misconfigured access controls. If confirmed malicious, this could represent early-stage reconnaissance before attempting to access or manipulate Bedrock models or knowledge bases.
data_source:
    - AWS CloudTrail
search: >-
    `cloudtrail` eventSource=bedrock.amazonaws.com eventName=ListFoundationModels errorCode=AccessDenied  | rename user_name as user
    | stats count min(_time) as firstTime max(_time) as lastTime values(errorCode) as errorCodes values(errorMessage) as errorMessages by src user user_agent vendor_account vendor_product dest signature vendor_region
    | where count > 9
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `aws_bedrock_high_number_list_foundation_model_failures_filter`
how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs with Bedrock service events enabled. You must install and configure the AWS App for Splunk (version 6.0.0 or later) and Splunk Add-on for AWS (version 5.1.0 or later) to collect CloudTrail logs from AWS.
known_false_positives: Legitimate users may encounter multiple failures during permission testing, role transitions, or when service permissions are being reconfigured. High volumes of API errors may also occur during automated processes with misconfigured IAM policies or when new Bedrock features are being explored through API testing.
references:
    - https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListFoundationModels.html
    - https://trustoncloud.com/blog/exposing-the-weakness-how-we-identified-a-flaw-in-bedrocks-foundation-model-access-control/
    - https://attack.mitre.org/techniques/T1595/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ attempted to list AWS Bedrock foundation models $count$ times with failures from $src$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - AWS Bedrock Security
    asset_type: AWS Account
    mitre_attack_id:
        - T1580
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail