GuardDuty AI Protection - Amazon GuardDuty
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

GuardDuty AI Protection

GuardDuty AI Protection extends Amazon GuardDuty threat detection to AI workloads built on AWS. When you enable AI Protection, GuardDuty analyzes AWS CloudTrail data events from Amazon Bedrock, Amazon Bedrock AgentCore, and Amazon SageMaker AI, along with AWS CloudTrail management events. GuardDuty uses this data to detect potentially suspicious activity that targets foundation models and the applications that invoke them. When GuardDuty identifies a potential threat, it generates one or more AI Protection finding types.

When you enable AI Protection, GuardDuty can detect the following types of threats:

  • Anomalous invocations of Amazon Bedrock or Amazon SageMaker AI models that deviate from the established baseline for an identity or account, such as invocations from an unusual IP address, an unusual API, or an unusual model.

  • Cost harvesting attacks, in which a threat actor sends computationally expensive inputs to an Amazon Bedrock or Amazon SageMaker AI model to inflate the token consumption and operating costs of the account.

  • Direct prompt injection attempts, in which a threat actor crafts a malicious prompt to make a foundation model ignore its original instructions. This detection requires Amazon Bedrock Guardrails and applies only to Amazon Bedrock workloads.

Note

The finding types that GuardDuty can generate in an AWS Region depend on which AI services are available in that Region:

For the list of Regions where each finding type is supported, see Region-specific feature availability.

Tip

To get the most security value from AI Protection, enforce Amazon Bedrock Guardrails for prompt attacks across all accounts in your AWS organization. Use AWS Organizations Amazon Bedrock policies to manage these guardrail settings centrally. This enables uniform protection across all accounts with centralized control and management. When a prompt attack guardrail is enforced, GuardDuty creates prompt injection findings. For more information, see Impact:IAMUser/PromptInjection.Direct.

To detect threats to your AI workloads, you must enable AI Protection in your GuardDuty account. For information about enabling AI Protection, see Enabling AI Protection in multiple-account environments for multiple-account environments or Enabling AI Protection for a standalone account.

How AI Protection works

When you enable AI Protection for an account or across your organization, GuardDuty automatically begins collecting AWS CloudTrail data events from the AI services in the monitored accounts. You don't need to create a trail, enable data event logging, or make any changes to your AI applications.

To collect the data events, GuardDuty creates an AWS CloudTrail service-linked channel in each monitored account. The service-linked channel streams AWS CloudTrail data events for Amazon Bedrock, Amazon Bedrock AgentCore, and Amazon SageMaker AI, and related AI resources to GuardDuty for analysis. Because GuardDuty creates and manages this channel:

  • GuardDuty configures the channel's data event settings, and the account owner can't modify them. This means threat detection doesn't depend on the account owner configuring or maintaining a trail.

  • Each monitored account can confirm that the channel is active in the CloudTrail console (under Settings, Service-linked channels) or by calling the AWS CloudTrail ListChannels API operation.

GuardDuty uses two detection methods to generate AI Protection findings, depending on the finding type:

  • For the Impact:IAMUser/AnomalousModelInvocation and Impact:IAMUser/CostHarvesting finding types, GuardDuty uses an anomaly detection machine learning (ML) model to analyze the collected events and establish a baseline of normal model invocation activity for each IAM identity and AWS account. GuardDuty generates a finding when it detects activity that deviates significantly from this baseline.

  • For the Impact:IAMUser/PromptInjection.Direct finding type, GuardDuty generates a finding when Amazon Bedrock Guardrails evaluates a prompt and detects a prompt attack, based on the resulting AWS CloudTrail data event.

For more information about AWS CloudTrail data events, see Logging data events in the AWS CloudTrail User Guide.

Pricing for AI Protection

When you enable GuardDuty AI Protection, GuardDuty charges for the volume of AWS CloudTrail data events that it analyzes, measured in GB. GuardDuty creates the service-linked channel at no additional CloudTrail charge to you. The cost of collecting these data events is included in your AI Protection usage cost. You also continue to incur standard usage costs for GuardDuty and any other enabled protection plans. For current pricing and examples, see Amazon GuardDuty pricing.

Additional threat detections for AI workloads

In addition to the AI Protection plan, the Amazon GuardDuty Foundational and Lambda Protection plans offer detections to help you secure and detect threats to AI workloads built on AWS.

The GuardDuty Foundational plan monitors AWS CloudTrail management events to detect suspicious and malicious activity in AI workloads created by using AWS services, including Amazon Bedrock and Amazon SageMaker AI. For example, GuardDuty can identify activities such as:

  • Unusual removal of Amazon Bedrock security guardrails

  • A change to a model training data source that can potentially lead to a data poisoning attack

  • Disabled logging for Amazon Bedrock model invocations that might indicate attempts to evade detection

  • Unusual notebook instance or training job creation in Amazon SageMaker AI

  • Exfiltrated Amazon Elastic Compute Cloud credentials that might have been used to call APIs in Amazon Bedrock, Amazon SageMaker AI, or self-managed AI workloads on Amazon EC2 instances, Amazon EKS clusters, or Amazon ECS tasks.

GuardDuty Lambda Protection can help detect potential threats related to Amazon Bedrock agents. This might include suspicious network activity such as cryptomining, and communication with malicious command and control servers. These threats can be caused by a supply chain attack or complex prompting.