Cross-Tenant Data Exposure in AWS Bedrock via Model Customization Job Parameter Tampering
Overview
A high-severity vulnerability was discovered in AWS Bedrock's model customization service, which allows users to fine-tune foundational models with their own data. The vulnerability stemmed from insufficient input validation and authorization checks on the parameters of a model customization job. An authenticated but low-privilege attacker in one AWS account could craft a malicious API request to start a fine-tuning job. By manipulating internal parameters related to the data source S3 bucket, the attacker could trick the Bedrock service into accessing and using a dataset from a different AWS account's S3 bucket that was also being used for a customization job. This bypasses the standard IAM and S3 bucket policies that are meant to enforce tenant isolation. The attacker would not gain direct read access to the victim's raw data. Instead, they could infer sensitive information from the fine-tuned model's behavior. For example, by fine-tuning a base model with the victim's proprietary data and then querying the resulting model, the attacker could extract confidential business information, PII, or trade secrets that were present in the training data. This attack, dubbed 'Model Leech', exposed a critical flaw in the security architecture of a multi-tenant managed AI service, highlighting the challenges of ensuring strict data isolation in complex cloud-native AI platforms.
Affected Systems
Testing Guide
This vulnerability was on the cloud provider's side and cannot be tested directly by customers. The primary method of verification is to: 1. **Check AWS Health Dashboard:** Review your AWS Personal Health Dashboard for any security notifications related to AWS Bedrock. 2. **Review CloudTrail Logs:** Query CloudTrail logs for `CreateModelCustomizationJob` events around the time of the vulnerability disclosure. Look for any jobs with unusual parameters or jobs initiated by unfamiliar principals, although a successful exploit would be hard to spot without prior knowledge.
Mitigation Steps
1. **Apply AWS Patches:** AWS has patched this vulnerability on their backend, so no direct user action is required for mitigation. However, it is crucial to monitor AWS security bulletins. 2. **Use Customer-Managed Keys:** Encrypt training data in S3 using a Customer-Managed KMS Key (CMK). This provides an additional layer of defense, as the Bedrock service role in the attacker's account would not have permission to decrypt data using the victim's key. 3. **Implement Strict S3 Bucket Policies:** In addition to IAM roles, configure S3 bucket policies to explicitly deny access from any source principals that are not expected, using conditions like `aws:PrincipalArn` to lock down access to specific Bedrock job roles. 4. **Monitor CloudTrail Logs:** Regularly audit AWS CloudTrail logs for any anomalous or unauthorized `Bedrock:CreateModelCustomizationJob` API calls or S3 access patterns.
Patch Details
AWS deployed a server-side patch that enforces stricter validation of data source ARNs and ensures the calling principal's account owns the data source.