AWS Bedrock Knowledge Base or RAG Data Source Tampering

Last updated 2 days ago on 2026-06-05

Created 2 days ago on 2026-06-05

About

Detects control-plane mutations to AWS Bedrock knowledge bases and their backing RAG data sources via CloudTrail. An adversary with access to Bedrock Agent APIs can poison the corpus that RAG-enabled models treat as authoritative by ingesting attacker-controlled documents (IngestKnowledgeBaseDocuments, StartIngestionJob), deleting legitimate documents (DeleteKnowledgeBaseDocuments), or repointing/altering the data source itself (CreateDataSource, UpdateDataSource, DeleteDataSource, UpdateKnowledgeBase). Because downstream applications and users trust model answers grounded in this stored data, tampering with the corpus is a stored data manipulation that can drive misinformation, fraud, or manipulated decisions at inference time. This is a New Terms rule that looks for the first time a given identity ARN performs one of these knowledge base or data source mutations within the history window.

Tags

Domain: CloudDomain: LLMData Source: AWSData Source: AWS CloudTrailData Source: Amazon Web ServicesData Source: Amazon BedrockUse Case: Threat DetectionTactic: ImpactLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

↳ Data Manipulation (T1565)(external, opens in a new tab or window)

False Positive Examples

Legitimate knowledge base maintenance, content onboarding, and scheduled re-ingestion performed by data engineering teams, MLOps automation, or infrastructure-as-code pipelines will generate these events. Validate the calling identity, user agent, and source IP against known automation and approved operators. If a known maintenance workflow is causing noise, it can be exempted from this rule.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: (
        "IngestKnowledgeBaseDocuments" or
        "DeleteKnowledgeBaseDocuments" or
        "UpdateKnowledgeBase" or
        "CreateDataSource" or
        "UpdateDataSource" or
        "DeleteDataSource" or
        "StartIngestionJob" or
        "DeleteKnowledgeBase"
    ) and
    event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS Bedrock Knowledge Base or RAG Data Source Tampering in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).