review comments

shashank-elastic · shashank-elastic · commit a0e3c103efb4 · 2024-11-05T21:51:56.000+05:30
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml
@@ -58,7 +58,7 @@ and they can establish thresholds for harmful content categories, including hate
     - Identify the account role in the cloud environment.
     - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
     - Identify any regulatory or legal ramifications related to this activity.
-- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml
@@ -58,7 +58,7 @@ and they can establish thresholds for harmful content categories, including hate
     - Identify the account role in the cloud environment.
     - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
     - Identify any regulatory or legal ramifications related to this activity.
-- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml
@@ -56,7 +56,7 @@ and they can establish thresholds for harmful content categories, including hate
     - Identify the account role in the cloud environment.
     - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
     - Identify any regulatory or legal ramifications related to this activity.
-- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml
@@ -55,7 +55,7 @@ Bedrock offers a variety of pretrained models from Amazon (such as the Titan ser
     - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
     - Identify any regulatory or legal ramifications related to this activity.
     - Identify potential resource exhaustion and impact on billing.
-- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml
@@ -54,7 +54,7 @@ Bedrock offers a variety of pretrained models from Amazon (such as the Titan ser
     - Identify the account role in the cloud environment.
     - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
     - Identify any regulatory or legal ramifications related to this activity.
-- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml
@@ -58,7 +58,7 @@ Bedrock offers a variety of pretrained models from Amazon (such as the Titan ser
     - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
     - Identify any regulatory or legal ramifications related to this activity.
     - Identify if any implication to resource billing.
-- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
