AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

Last updated 20 days ago on 2025-03-20

Created a year ago on 2024-05-02

About

Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.

Tags: Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0051Mitre Atlas: T0054Language: esql
Severity: medium
Risk Score: 47
False Positive Examples: Legitimate misunderstanding by users or overly strict policies
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-aws_bedrock.invocation-*
| where gen_ai.compliance.violation_detected
| keep user.id, gen_ai.request.model.id, cloud.account.id
| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id
| where violations > 1
| sort violations desc

Install detection rules in Elastic Security

Detect AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).