Detect Amazon Bedrock misconfigurations with Datadog Cloud Security

As organizations adopt leading generative AI tools like Amazon Bedrock, it’s critical to build security into their use. Cloud-native AI services can accelerate innovation, but they need to be configured with the right access, protection, and detection controls to reduce risks. Misconfigured resources can expose sensitive training data, allow unauthorized model access, or lead to unintended data quality issues. AI security builds on familiar security practices and tooling, so you can secure AI adoption without disrupting innovation.

Datadog Cloud Security now includes a library of out-of-the-box detections that help organizations identify and remediate misconfigurations in Amazon Bedrock environments. These detections prioritize risks based on infrastructure context, such as public accessibility and privileged access, and surface them within a unified security workflow that supports both guided remediation and compliance validation.

In this post, we’ll cover:

• Why Amazon Bedrock was the starting point for our AI misconfiguration detections
• What new misconfiguration detections are now available in Datadog Cloud Security
• How to detect and remediate a real misconfiguration in Bedrock using Datadog
• How these capabilities support regulatory frameworks

Adopt AI securely with AWS and Datadog

Amazon Bedrock offers scalable and flexible access to leading foundation models with a unified API interface, making it an attractive choice for organizations building generative AI capabilities. Amazon Bedrock is also built with security at its core, offering robust features to protect your data and models. Securing the use of Amazon Bedrock is the essential next step for customers, as generative AI misconfigurations are a growing target for threat actors.

Datadog's new AI detections are part of a broader partnership between AWS and Datadog that is focused on helping customers operate their cloud infrastructure securely and efficiently while implementing best practices, such as the AWS Well-Architected Framework. With more than 850 out-of-the-box integrations—including more than 100 for AWS—and a partner-built Marketplace, Datadog's long-standing partnership with AWS and deep integration capabilities has enabled Datadog to quickly develop comprehensive security monitoring for AWS. Using the broader security portfolio covering Code Security, Cloud Security, and Threat Management, organizations running on AWS can use Datadog to secure their full stack.

Misconfiguration detections purpose-built for Bedrock

Datadog's new detections for Amazon Bedrock resources identify configuration risks that could expose data or models to unauthorized access. Each detection is assigned a severity score using Datadog’s infrastructure-aware severity scoring system, helping teams prioritize and respond to critical issues faster.

The new detections help identify and prevent:

• Unauthorized model access paths
• Data leak vulnerabilities
• Insecure API configurations
• Resource permission misconfigurations
• Improper knowledge base access controls

These risks are evaluated in context, such as whether a misconfigured S3 bucket is used in a fine-tuning pipeline. This allows teams to focus their attention on what matters most.

Detect and remediate AI threats with Datadog Cloud Security

To detect Amazon Bedrock misconfigurations in your environment, you first need to configure the AWS integration in Datadog and enable Datadog Cloud Security. Once enabled, data will start populating after 10 minutes. Datadog will then automatically scan your environment, including Bedrock resources, for risky configurations. Datadog surfaces any risks that it detects automatically and enriches them with context including sensitive data exposure, identity risks, vulnerabilities, and other misconfigurations. Datadog also provides suggested remediation steps that you can apply directly within Datadog and confirm that the misconfiguration has been resolved. You can also set up custom alerts and monitors to get notified when Datadog identifies any AI risks, and surface critical findings in the Security Inbox.

In the example below, Datadog has detected that an Amazon Bedrock custom model is configured to use training data from a publicly writable S3 bucket. This setup opens the door to unintended data contamination, potentially altering model behavior. The detection enables you to securely configure the model to avoid this.

You can also view any detected issues alongside surrounding infrastructure using the Security Map. This uses Cloudcraft to give you live diagrams of your cloud architecture, helping you quickly identify problems and triage them based on their severity score.

Supporting compliance and AI safety initiatives

Security and compliance standards for AI are evolving rapidly. In 2023, the UK's National Cyber Security Centre and CISA published joint guidance for building secure AI systems, recommending robust protections for models and infrastructure. The NIST AI RMF similarly provides a voluntary framework to guide risk management in AI deployments.

Datadog can help you track your compliance posture and monitor improvements as you identify and resolve issues. This helps you meet internal benchmarks and regulatory standards. You can also create custom frameworks or iterate on existing ones for tailored compliance controls.

As generative AI is embraced across industries, the regulatory environment will evolve. We’ll continue partnering with AWS to expand our detection library and support secure AI adoption and compliance.

Today, Datadog Cloud Security has over 1,300 out-of-the-box compliance rules and has announced out-of-the-box support for the NIST AI framework. This enables customers to accelerate evidence collection for audits, proactively monitor their posture and route remediations to the infrastructure owner in a shared platform.

Secure your AI infrastructure with Datadog

Misconfigurations in AI systems can be risky, but with the right tools, you’ll have the visibility and context needed to manage them. With Datadog Cloud Security, teams gain visibility into these risks, detect threats early, and remediate issues with confidence. Detections for Amazon Bedrock are available today alongside other features that help you secure your AI workloads, including Bits Security Analyst, which helps automate triage for AWS CloudTrail signals.

To learn more about how Datadog helps secure your AI infrastructure, visit our documentation. If you're not already using Datadog, you can get started with Datadog Cloud Security here a 14-day free trial.