In November 2025, a Sysdig research team watched an attacker compromise an AWS environment, enumerate Amazon Bedrock, disable model invocation logging, and achieve full administrator privileges in under ten minutes. The initial access vector was credentials left in a publicly accessible S3 bucket. According to the Tenable Cloud AI Risk Report 2025, 91% of organizations using Amazon SageMaker have root access enabled on at least one notebook instance, and 14% of Bedrock users have at least one AI training bucket with no public access block configured. The controls that protect your Bedrock endpoints and SageMaker inference deployments are not exotic or complex. Most of them are extensions of IAM, KMS, and VPC patterns you are already applying to other workloads. What is missing in most environments is systematic, deliberate application of those controls to AI services from day one.
Highlights
- LLMjacking is now the dominant motivation for credential theft in AWS environments running AI workloads.
- The default configurations of both Bedrock and SageMaker are not production-ready from a security standpoint.
- IAM least privilege is the highest-impact single control you can implement for AI workload security.
- VPC isolation with AWS PrivateLink removes direct internet exposure from your model endpoints and training infrastructure.
- Bedrock Guardrails provide six configurable policy types that screen both user inputs and model outputs
- KMS customer-managed keys give you explicit control over encryption, key rotation, and access auditing for all AI artifacts.
- CloudTrail and CloudWatch together form the minimum viable observability layer for Bedrock and SageMaker.
Why AI Service Security Demands Immediate Attention
Amazon Bedrock and Amazon SageMaker are the two primary AWS services for production AI and machine learning workloads. Bedrock gives you access to foundation models from Anthropic, Meta, Mistral, Amazon, and others through a managed API. SageMaker gives you the full ML lifecycle: data preparation, model training, evaluation, and inference endpoint deployment. Both services are now enterprise standards, and both have become serious attack targets.
The Sysdig Threat Research Team documented an attacker who compromised an AWS environment and reached full administrator privileges in less than ten minutes. The attacker enumerated Amazon Bedrock, confirmed model invocation logging was disabled, and invoked multiple foundation models including Claude, Llama, and DeepSeek R1. They created Lambda backdoors to mint Bedrock credentials and attempted to spin up GPU instances for unauthorized model training.
This is not a theoretical scenario. The Tenable Cloud AI Risk Report 2025 found that approximately 70% of cloud AI workloads contain at least one unremediated vulnerability, and 91% of Amazon SageMaker users have at least one notebook instance with default root access enabled. The report also found that 14.3% of organizations using Amazon Bedrock training buckets have at least one bucket without S3 Block Public Access configured.
The shared responsibility model applies here the same way it does for every other AWS service. AWS secures the underlying infrastructure. You are responsible for IAM configuration, network exposure, encryption, logging, and runtime monitoring. The sections below walk through each security domain with concrete configurations you can apply immediately.
IAM: Least Privilege for Bedrock and SageMaker Roles
Why Default Roles Are Risky
When you get started with Bedrock or SageMaker through the console, AWS often suggests broad managed policies or creates execution roles with wide permissions. AmazonSageMakerFullAccess is a common starting point. It includes permissions that a production inference endpoint does not need, such as the ability to create new training jobs, modify studio domains, or access arbitrary S3 buckets across your account. Keeping that policy on a production role means a compromised endpoint can be used to pivot to training infrastructure, exfiltrate data, or modify models in place.
Scoping Bedrock IAM Policies
A Bedrock execution role that only needs to invoke specific foundation models should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}Notice the use of a condition to lock the policy to a specific region. This prevents credential abuse from regions you do not operate in, which is a common tactic in LLMjacking attacks where adversaries switch regions to evade detection.
Scoping SageMaker Endpoint Roles
A SageMaker model execution role for a specific inference endpoint should only allow access to the exact S3 path where model artifacts are stored, the specific KMS key used to encrypt them, and ECR access limited to the image it needs. Do not share a single SageMaker execution role across multiple endpoints or across training and inference workloads.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::my-model-artifacts-bucket/prod-model-v3/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/mrk-abc123"
},
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-inference-image"
}
]
}Use IAM Access Analyzer to identify and remove unused permissions. Regular audits using Access Analyzer are essential to finding permission drift in long-running environments where policies accumulate over time.
Service Control Policies for Organizational Guardrails
If you run Bedrock or SageMaker workloads across multiple AWS accounts in an organization, add Service Control Policies at the OU level to enforce guardrails that individual account administrators cannot override. A useful SCP prevents any principal from disabling Bedrock model invocation logging or SageMaker VPC endpoint requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyBedrockLoggingDisable",
"Effect": "Deny",
"Action": [
"bedrock:DeleteModelInvocationLoggingConfiguration"
],
"Resource": "*"
}
]
}VPC Isolation and Network Controls
The Default Network Posture Problem
SageMaker notebooks default to direct internet access, and one industry report found this configuration present in 97% of SageMaker deployments. Combined with permissive IAM, direct internet access on a notebook instance is an entry point for attackers. Training jobs that run without VPC isolation can be intercepted or used to inject backdoors into the resulting model artifact.
To avoid making your data and model containers accessible over the internet, create a private VPC with no internet gateway. Network connectivity with AWS services should be provided using VPC endpoints and PrivateLink. This eliminates the need for internet gateways or NAT devices, keeps all traffic within the AWS network backbone, and allows you to monitor all network traffic through VPC flow logs.
Deploying SageMaker Endpoints Inside a Private VPC
When you create a SageMaker model and deploy it to an endpoint, pass the VpcConfig parameter to specify the private subnets and security groups your endpoint containers will use:
import boto3
sm = boto3.client("sagemaker", region_name="us-east-1")
sm.create_model(
ModelName="prod-llm-endpoint-v3",
ExecutionRoleArn="arn:aws:iam::123456789012:role/SageMakerEndpointRole",
PrimaryContainer={
"Image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-inference:latest",
"ModelDataUrl": "s3://my-model-artifacts-bucket/prod-model-v3/model.tar.gz",
},
VpcConfig={
"Subnets": [
"subnet-0123456789abcdef0",
"subnet-0123456789abcdef1"
],
"SecurityGroupIds": [
"sg-0123456789abcdef0"
]
},
EnableNetworkIsolation=True
)Setting EnableNetworkIsolation=True prevents the inference container from making any outbound network calls whatsoever. Use this for endpoints that do not need to call external APIs at inference time. For endpoints that need to call other AWS services, remove network isolation and route those calls through interface VPC endpoints instead.
Required VPC Endpoints for SageMaker and Bedrock
When running in a VPC with no internet gateway, you need interface VPC endpoints for the AWS services your workloads call. The minimum set for a SageMaker deployment is:
| Service | Endpoint Service Name |
|---|---|
| SageMaker API | com.amazonaws.region.sagemaker.api |
| SageMaker Runtime | com.amazonaws.region.sagemaker.runtime |
| Amazon S3 | com.amazonaws.region.s3 (Gateway endpoint) |
| Amazon ECR API | com.amazonaws.region.ecr.api |
| Amazon ECR Docker | com.amazonaws.region.ecr.dkr |
| AWS KMS | com.amazonaws.region.kms |
| CloudWatch Logs | com.amazonaws.region.logs |
| AWS STS | com.amazonaws.region.sts |
For Bedrock workloads, add:
| Service | Endpoint Service Name |
|---|---|
| Amazon Bedrock | com.amazonaws.region.bedrock |
| Amazon Bedrock Runtime | com.amazonaws.region.bedrock-runtime |
Amazon SageMaker Unified Studio now supports AWS PrivateLink, providing private connectivity between your VPC and SageMaker Unified Studio without routing customer data over the public internet.
Security Group Configuration
Apply tight security groups to your SageMaker endpoint network interfaces. The inference endpoint does not need to accept inbound connections on arbitrary ports. It communicates with callers through the SageMaker Runtime API via the VPC endpoint, so the security group for the endpoint itself should have minimal or no direct inbound rules. Outbound rules should restrict traffic to only the VPC endpoint interface IPs for the services it calls.
Bedrock Guardrails: Application-Layer Controls
Bedrock Guardrails is the primary mechanism for enforcing content and behavioral policies on your generative AI applications. It sits as a layer between user input and the foundation model, and between the foundation model output and your application, evaluating both directions against your configured policies.
The Six Policy Types
Bedrock Guardrails offers six primary policy types. Content Filters address harmful content categories including hate speech, insults, violence, and misconduct. Prompt Attack Detection identifies jailbreaks and injection attempts. Denied Topics enforce custom subject-matter restrictions you define. Sensitive Information Filters handle PII masking and removal. Word Policies enforce blocklists for specific terms. Contextual Grounding checks whether responses are supported by source material. Since August 2025, Automated Reasoning uses formal mathematical verification to validate responses against defined policy documents with up to 99% accuracy at catching factual errors in constrained domains.
Deploying a Guardrail via the AWS CLI
aws bedrock create-guardrail \
--name "prod-rag-guardrail" \
--description "Guardrail for production RAG endpoint" \
--content-policy-config '{
"filtersConfig": [
{"type": "VIOLENCE", "inputStrength": "HIGH", "outputStrength": "HIGH"},
{"type": "HATE", "inputStrength": "HIGH", "outputStrength": "HIGH"},
{"type": "INSULTS", "inputStrength": "HIGH", "outputStrength": "HIGH"},
{"type": "MISCONDUCT", "inputStrength": "HIGH", "outputStrength": "HIGH"},
{"type": "PROMPT_ATTACK", "inputStrength": "HIGH", "outputStrength": "NONE"}
]
}' \
--sensitive-information-policy-config '{
"piiEntitiesConfig": [
{"type": "EMAIL", "action": "ANONYMIZE"},
{"type": "PHONE", "action": "ANONYMIZE"},
{"type": "SSN", "action": "BLOCK"},
{"type": "CREDIT_DEBIT_CARD_NUMBER", "action": "BLOCK"}
]
}' \
--blocked-inputs-messaging "Your input was flagged by our content policy." \
--blocked-outputs-messaging "This response was blocked by our content policy."Prompt Injection Defense
When building Bedrock Agents, tag dynamically generated or mutated prompts as user input when they incorporate external data such as RAG-retrieved content, third-party API responses, or prior completions. This ensures guardrails evaluate all untrusted content, including indirect inputs derived from external sources, for hidden adversarial instructions. Apply user input tags to both direct queries and system-generated prompts that integrate external data to activate Bedrock's prompt attack filters on all potential injection vectors while preserving trust in static system instructions.
For production agent deployments, set PROMPT_ATTACK filter strength to HIGH for inputs and use the default preprocessing prompt on your agent, which uses a foundation model to classify whether user input is safe before it reaches your agent's orchestration logic.
Associating a Guardrail with a Bedrock API Call
import boto3
bedrock_runtime = boto3.client("bedrock-runtime", region_name="us-east-1")
response = bedrock_runtime.invoke_model(
modelId="anthropic.claude-sonnet-4-6",
guardrailIdentifier="arn:aws:bedrock:us-east-1:123456789012:guardrail/abc123def456",
guardrailVersion="DRAFT",
trace="ENABLED",
body=json.dumps({
"anthropic_version": "bedrock-2023-05-31",
"max_tokens": 1024,
"messages": [
{
"role": "user",
"content": [
{
"type": "text",
"text": user_input,
"guardContent": {
"tag": "PROMPT"
}
}
]
}
]
})
)Note the guardContent tag on the user message content. This is how you signal to Bedrock Guardrails which parts of your input are user-controlled versus trusted system instructions. Content tagged as PROMPT is subject to prompt attack detection.
Encryption: KMS Customer-Managed Keys
What to Encrypt
Every storage layer involved in your Bedrock and SageMaker workloads should be encrypted with KMS customer-managed keys rather than the default AWS-managed keys. The difference matters operationally: with AWS-managed keys, you cannot restrict access through key policy, cannot audit usage at the key level, and cannot revoke access by disabling the key.
The surfaces requiring CMK encryption are:
| Surface | SageMaker | Bedrock |
|---|---|---|
| Training data S3 buckets | Yes | Yes (training buckets) |
| Model artifact S3 buckets | Yes | Yes |
| Notebook EBS volumes | Yes | N/A |
| Endpoint EBS volumes | Yes | N/A |
| Studio EFS volumes | Yes | N/A |
| CloudWatch Logs | Yes | Yes (invocation logs) |
Creating a KMS Key with Appropriate Policy
aws kms create-key \
--description "CMK for SageMaker endpoint prod-llm-v3" \
--key-policy '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow SageMaker endpoint role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/SageMakerEndpointRole"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
]
}'All data transfer between platform components, API calls, and inter-container communication should be protected using TLS 1.2. All data at rest in S3 buckets, EBS and EFS volumes should be encrypted using customer-managed KMS keys, and automatic key rotation should be enabled.
Enable automatic key rotation on all CMKs used for AI workloads:
aws kms enable-key-rotation \
--key-id mrk-abc123def456Logging, Monitoring, and Threat Detection
Enabling Bedrock Model Invocation Logging
Bedrock model invocation logging is off by default. Without it, you have no record of prompts sent, models invoked, token counts consumed, or latencies observed. This is the gap that the November 2025 attacker confirmed before proceeding. Enable logging to both S3 and CloudWatch Logs:
aws bedrock put-model-invocation-logging-configuration \
--logging-config '{
"cloudWatchConfig": {
"logGroupName": "/aws/bedrock/model-invocations",
"roleArn": "arn:aws:iam::123456789012:role/BedrockCloudWatchRole",
"largeDataDeliveryS3Config": {
"bucketName": "my-bedrock-logs-bucket",
"keyPrefix": "invocation-logs/"
}
},
"s3Config": {
"bucketName": "my-bedrock-logs-bucket",
"keyPrefix": "invocation-logs/"
},
"textDataDeliveryEnabled": true,
"imageDataDeliveryEnabled": true,
"embeddingDataDeliveryEnabled": true
}'Set up a CloudWatch metric filter and alarm on the invocation log group to alert on anomalous patterns such as unusually high token consumption, requests from unexpected IAM principals, or requests outside business hours.
CloudTrail for API Plane Audit
Enable CloudTrail for all Bedrock and SageMaker API calls. Enabling CloudTrail for Amazon Bedrock API calls and deploying Bedrock Guardrails as a content filter in front of your model endpoint are among the first controls DevSecOps teams should apply when extending existing security controls to AI workloads.
Create a CloudTrail trail that logs management and data events for both services:
aws cloudtrail create-trail \
--name bedrock-sagemaker-audit-trail \
--s3-bucket-name my-cloudtrail-bucket \
--include-global-service-events \
--is-multi-region-trail \
--enable-log-file-validation
aws cloudtrail put-event-selectors \
--trail-name bedrock-sagemaker-audit-trail \
--event-selectors '[
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::Bedrock::*",
"Values": ["arn:aws:bedrock:*"]
}
]
}
]'GuardDuty for Runtime Threat Detection
Amazon GuardDuty now includes threat detection for Bedrock and SageMaker API activity. It monitors CloudTrail for anomalous patterns including unusual model invocations from new geographic locations, credential use from unexpected IP ranges, and high-volume API calls consistent with unauthorized access. Enable GuardDuty in every region where you operate AI workloads and integrate findings into your Security Hub for centralized triage.
aws guardduty create-detector \
--enable \
--features '[
{"Name": "RUNTIME_MONITORING", "Status": "ENABLED"},
{"Name": "S3_DATA_EVENTS", "Status": "ENABLED"},
{"Name": "CLOUD_TRAIL", "Status": "ENABLED"}
]'SageMaker-Specific Hardening
Disable Root Access on Notebook Instances
91% of Amazon SageMaker users have at least one notebook with root access enabled by default. A compromised session token on such an instance grants an attacker the ability to modify all files on it, pivot to training infrastructure, and access any IAM role the notebook's execution role can assume.
When creating a new notebook instance, explicitly set root access to disabled:
aws sagemaker create-notebook-instance \
--notebook-instance-name prod-analysis-notebook \
--instance-type ml.t3.medium \
--role-arn arn:aws:iam::123456789012:role/SageMakerNotebookRole \
--root-access Disabled \
--direct-internet-access Disabled \
--subnet-id subnet-0123456789abcdef0 \
--security-group-ids sg-0123456789abcdef0 \
--kms-key-id mrk-abc123def456Note that both root-access Disabled and direct-internet-access Disabled are set explicitly. These are not the defaults. You must set both intentionally.
Pre-Signed URL Expiration
SageMaker notebook access uses pre-signed URLs. If you generate these URLs for users, set short expiration times. The default expiration can be up to 12 hours. For most workflows, a five-minute expiration is more than sufficient and dramatically reduces the window for URL interception or reuse.
aws sagemaker create-presigned-notebook-instance-url \
--notebook-instance-name prod-analysis-notebook \
--session-expiration-duration-in-seconds 300Container Image Scanning
Every custom Docker image you use for SageMaker training or inference should go through Amazon ECR image scanning before deployment. Enable enhanced scanning on your ECR repositories to get continuous vulnerability assessment rather than on-push scanning alone:
aws ecr put-registry-scanning-configuration \
--scan-type ENHANCED \
--rules '[
{
"repositoryFilters": [
{"filter": "my-inference-*", "filterType": "WILDCARD"}
],
"scanFrequency": "CONTINUOUS_SCAN"
}
]'Block deployments from your CI/CD pipeline when ECR scanning finds CRITICAL severity findings. Your pipeline should query scan results before pushing the updated model configuration to SageMaker.
Comparison: Bedrock vs SageMaker Security Responsibilities
Understanding which security controls apply to which service prevents coverage gaps. The two services have meaningfully different shared responsibility boundaries.
| Control | Amazon Bedrock | Amazon SageMaker |
|---|---|---|
| Network isolation | VPC endpoints for API access | Full VPC with private subnets for endpoint containers |
| Root access | Not applicable | Must explicitly disable on notebook instances |
| Container security | AWS managed | Your responsibility for custom inference images |
| Model invocation logging | Requires explicit enablement | CloudWatch metrics on by default; request logging needs configuration |
| Guardrails / content filtering | Native Bedrock Guardrails | AWS WAF or custom logic in inference code |
| Training data encryption | CMK on S3 training buckets | CMK on S3, EBS, EFS |
| IAM scope | Model invoke permissions | Full ML lifecycle permissions including training and deployment |
| Runtime detection | GuardDuty CloudTrail events | GuardDuty + SageMaker Model Monitor |
Putting It Together: A Production Security Checklist
Before you promote any Bedrock or SageMaker workload to production, validate the following:
Identity and Access
All Bedrock and SageMaker execution roles are scoped to specific resources and actions. Wildcard resource ARNs are absent from production roles. IAM Access Analyzer has reviewed all policies for unused permissions. SCPs at the OU level enforce minimum security standards that account-level policies cannot override.
Network
SageMaker endpoints and training jobs run inside private subnets with no direct internet access. Interface VPC endpoints are configured for all required AWS services. Security groups on endpoint ENIs restrict outbound traffic to the VPC endpoint interfaces. No notebook instance has direct internet access enabled.
Encryption
S3 buckets storing training data and model artifacts are encrypted with CMKs. Notebook EBS volumes are encrypted. Automatic key rotation is enabled. Bucket policies enforce aws:SecureTransport to require TLS on all API calls.
Logging and Detection
Bedrock model invocation logging is enabled and writing to both S3 and CloudWatch Logs. CloudTrail is active in all regions with data events enabled for Bedrock APIs. GuardDuty is enabled in all active regions. CloudWatch alarms fire on anomalous invocation patterns.
Application Layer
A Bedrock Guardrail with PROMPT_ATTACK detection at HIGH strength is associated with every production endpoint. PII filters are configured with appropriate actions (anonymize vs block) based on your data classification. Denied topics are defined for your specific use case. Contextual grounding checks are enabled for RAG-based applications.
Conclusion
The security controls for Amazon Bedrock and SageMaker are not fundamentally different from the controls you already apply to the rest of your AWS estate. IAM least privilege, VPC isolation, KMS encryption, CloudTrail audit logging, and GuardDuty threat detection are the same services you use for EC2, RDS, and Lambda. What changes is the attack surface: model invocation logging, prompt injection via user inputs, guardrail removal, training data exposure, and GPU compute abuse are specific to AI workloads and require AI-specific configuration steps on top of your baseline.
Start with the highest-impact actions first. Enable Bedrock model invocation logging today, as it costs almost nothing and provides immediate audit visibility. Disable direct internet access and root access on all SageMaker notebooks by updating their configurations. Scope all execution role policies to specific resource ARNs rather than wildcards. Deploy a Bedrock Guardrail with prompt attack detection for any customer-facing application.
The November 2025 Sysdig-documented breach started with a public S3 bucket and took ten minutes from initial access to full account compromise. Every control in this guide would have either prevented the initial access or dramatically reduced the blast radius. Apply them systematically, validate them through AWS Config rules and Security Hub standards, and you significantly reduce the probability that your AI investment becomes someone else's compute budget.
FAQS
Q1: What are the most common security misconfigurations in Amazon SageMaker environments?
The three highest-risk misconfigurations are root access enabled on notebook instances, direct internet access on those same instances, and overly permissive IAM execution roles that use wildcard resource ARNs. According to the Tenable Cloud AI Risk Report 2025, 91% of SageMaker users have at least one notebook with default root access enabled, meaning a single stolen session token can grant an attacker full control over the notebook environment and everything the execution role can reach. The second most consequential pattern is using a single broadly scoped execution role for both development and production endpoints rather than creating separate roles scoped to specific resources for each workload. Fixing these three issues eliminates the majority of the attack surface that adversaries target in documented LLMjacking and training infrastructure compromise scenarios. Audit your environment using AWS Config managed rules such as sagemaker-notebook-no-direct-internet-access and sagemaker-notebook-instance-root-access-check to identify non-compliant resources automatically.
Q2: Do I need Bedrock Guardrails if I already have WAF in front of my application?
AWS WAF and Bedrock Guardrails operate at different layers and are complementary rather than substitutes. WAF is a web application firewall that inspects HTTP requests at the application layer and can block or allow traffic based on IP reputation, request size, header patterns, rate limits, and SQL injection or XSS signatures. It has no understanding of the semantic content of an LLM prompt or model response. Bedrock Guardrails, by contrast, evaluates the actual text content of user inputs and model outputs against configurable policies for harmful content categories, prompt injection attempts, PII, denied topics, and hallucination. If a user sends a well-formed HTTP request that contains a jailbreak attempt hidden inside natural language, WAF will not detect it. Only Guardrails applies the semantic analysis required to catch it. Use WAF at the API Gateway or Application Load Balancer layer to handle infrastructure-level threats including rate limiting, bot detection, and volumetric attacks, and use Bedrock Guardrails to handle application-layer threats specific to generative AI.
Q3: How do I enforce that all Bedrock and SageMaker resources use VPC endpoints across my organization?
The most reliable approach is to combine AWS Organizations Service Control Policies with AWS Config rules for automated remediation. An SCP can deny the bedrock:InvokeModel action unless the request comes through a VPC endpoint by using the aws:sourceVpce condition key, which forces all callers to route through a specific interface endpoint. For SageMaker, a complementary SCP can deny sagemaker:CreateNotebookInstance when the DirectInternetAccess parameter is set to Enabled. Stack these SCPs at the organization root or at the AI workloads OU level so they cannot be overridden by individual account administrators. Pair the SCPs with AWS Config managed rules to detect existing non-compliant resources and trigger Lambda-based remediation functions that update configurations to the required state. This combination of preventive controls through SCPs and detective controls through Config gives you both forward-looking enforcement and backward-looking visibility. The KodeKloud CKS and Terraform courses are useful preparation for practitioners who want to apply these enforcement patterns through infrastructure as code, since SCPs and Config rules are most reliably deployed and versioned through Terraform.
Q4: What is LLMjacking and how does it specifically target Bedrock environments?
LLMjacking is an attack pattern in which adversaries steal AWS credentials with Bedrock permissions and use them to invoke foundation models at the account owner's expense, typically to provide API access to paying third parties or to support their own AI applications without paying for the underlying compute. The attackers first confirm that model invocation logging is disabled so there is no audit trail, then begin invoking models at high volume. Because Bedrock pricing is consumption-based, a compromised account can accumulate tens of thousands of dollars in charges before the account owner detects the anomaly through billing alerts. The attack is enabled by credentials stored in publicly accessible S3 buckets, hardcoded in application code, committed to public repositories, or exposed through overly permissive IAM roles on EC2 instances that can be queried from the instance metadata service. Prevention requires enabling model invocation logging, setting up CloudWatch alarms on invocation volume, enabling GuardDuty, scoping IAM roles to deny Bedrock access from unexpected source IP ranges or VPCs, and auditing S3 bucket policies for public access. Bedrock's CloudTrail integration logs every InvokeModel API call including the IAM principal, source IP, and model ID, giving you the data you need to detect and respond to unauthorized access.
Q5: How should I handle sensitive training data and model artifacts in S3 for Bedrock and SageMaker?
Treat S3 buckets containing training data, model artifacts, and RAG knowledge base content as crown-jewel assets requiring the most restrictive access controls you apply to any data in your organization. Enable S3 Block Public Access at the account level as the first step, which prevents any bucket-level configuration from accidentally enabling public read access. Encrypt all objects with customer-managed KMS keys rather than AWS-managed keys so that your security team can audit key usage through CloudTrail, restrict access through key policy, and revoke access by disabling the key independently of the S3 bucket policy. Apply bucket policies that restrict access to specific IAM roles and enforce aws:SecureTransport to require TLS. Enable Amazon Macie on training data buckets to continuously scan for sensitive data exposure such as PII, financial records, or credentials that may have been inadvertently included in training datasets. For buckets backing Bedrock Knowledge Bases, also ensure that the IAM roles used by Bedrock to read the bucket are scoped to the specific prefix containing the knowledge base data rather than the entire bucket.
Q6: What is the minimum viable security setup for a team deploying their first Bedrock-powered production application?
A minimum viable security configuration has five components that you should treat as prerequisites for any production deployment rather than future improvements. First, enable Bedrock model invocation logging and write logs to CloudWatch Logs and S3 before your application goes live. Second, create a dedicated IAM role for your application with bedrock:InvokeModel permission scoped to the specific model ARN you are using, and attach it to your application's compute rather than using credentials with broader permissions. Third, deploy Bedrock Guardrails with prompt attack detection at HIGH strength and associate it with every API call your application makes. Fourth, call Bedrock through a VPC interface endpoint rather than over the public internet. Fifth, enable GuardDuty in the region where you operate and set a CloudWatch billing alarm for unexpected Bedrock cost spikes as a simple early warning system for unauthorized access. These five steps do not require extensive AWS expertise and can be completed in a day. The KodeKloud Terraform course provide the foundational skills for implementing and maintaining these controls through infrastructure as code, which is the right long-term approach for any environment that will evolve beyond a single application.
Discussion