AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

Last updated 3 months ago on 2025-09-25

Created 2 years ago on 2024-05-02

About

Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.

Tags: Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0051Mitre Atlas: T0054Language: esql
Severity: medium
Risk Score: 47
False Positive Examples: Legitimate misunderstanding by users or overly strict policies
License: Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: aws_bedrock(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗from logs-aws_bedrock.invocation-*

// Filter for compliance violations detected
| where gen_ai.compliance.violation_detected

// keep relevant ECS + model fields
| keep
  user.id,
  gen_ai.request.model.id,
  cloud.account.id

// count violations by user, model, and account
| stats
    Esql.ml_violations_count = count(*)
  by
    user.id,
    gen_ai.request.model.id,
    cloud.account.id

// Filter for repeated violations
| where Esql.ml_violations_count > 1

// sort descending by violation volume
| sort Esql.ml_violations_count desc

Install detection rules in Elastic Security

Detect AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).