Elastic Security Detection Rules

AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt

Last updated 3 days ago on 2026-06-04
Created 3 days ago on 2026-06-04

About

Detects failed, access-denied attempts to modify or delete resource-based access policies on AWS Bedrock resources via the PutResourcePolicy and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including external accounts) may access Bedrock resources such as agents, knowledge bases, and custom models. A principal that is repeatedly denied when attempting to attach or remove these policies may be a compromised or under-privileged identity probing for the ability to grant external or cross-account access, or to weaken existing access controls. Unlike the companion rule that detects successful changes, this rule surfaces the attempt itself, which is a high-signal indicator of credential boundary-testing even though no change occurred.
Tags
Domain: CloudDomain: LLMData Source: AWSData Source: AWS CloudTrailData Source: Amazon Web ServicesData Source: Amazon BedrockUse Case: Identity and Access AuditTactic: PersistenceLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples
Access-denied errors can result from benign permission gaps: a newly created role or user whose IAM policy has not yet been provisioned, infrastructure-as-code pipelines running ahead of permission grants, or developers experimenting in non-production accounts. Verify whether the user identity, user agent, and source IP are expected to manage Bedrock resource policies in your environment. Recurring denials from known automation or onboarding workflows can be exempted from the rule.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: ("PutResourcePolicy" or "DeleteResourcePolicy") and
    event.outcome: "failure" and
    aws.cloudtrail.error_code: (
        "AccessDenied" or
        "AccessDeniedException"
    )

Install detection rules in Elastic Security

Detect AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).