AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

Last updated a month ago on 2025-07-16

Created a year ago on 2024-05-02

About

Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.

Tags: Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0051Mitre Atlas: T0054Language: esql
Severity: medium
Risk Score: 47
False Positive Examples: Legitimate misunderstanding by users or overly strict policies
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-aws_bedrock.invocation-*

// Filter for compliance violations detected
| where gen_ai.compliance.violation_detected

// keep relevant ECS + model fields
| keep
  user.id,
  gen_ai.request.model.id,
  cloud.account.id

// count violations by user, model, and account
| stats
    Esql.ml_violations_count = count(*)
  by
    user.id,
    gen_ai.request.model.id,
    cloud.account.id

// Filter for repeated violations
| where Esql.ml_violations_count > 1

// sort descending by violation volume
| sort Esql.ml_violations_count desc

Install detection rules in Elastic Security

Detect AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).