Elastic Security Detection Rules

AWS Bedrock Guardrail Deleted or Weakened

Last updated 3 days ago on 2026-06-04
Created 3 days ago on 2026-06-04

About

Detects deletion, weakening, or version management of AWS Bedrock guardrails via the DeleteGuardrail, UpdateGuardrail, DeleteEnforcedGuardrailConfiguration, or PutEnforcedGuardrailConfiguration APIs. Bedrock guardrails enforce content, topic, word, and sensitive-information policies on model invocations. Deleting a guardrail, loosening its policies, removing or overwriting the organization-enforced guardrail configuration, or creating a new version to enforce a weakened configuration allows an adversary to bypass these protections — the cloud control-plane equivalent of disabling a security tool. This activity should be validated against approved change management and the responsible identity.
Tags
Domain: CloudDomain: LLMData Source: AWSData Source: AWS CloudTrailData Source: Amazon Web ServicesData Source: Amazon BedrockUse Case: Threat DetectionTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples
Platform or ML engineering teams may legitimately tune, iterate on, or decommission guardrails as part of normal development. If this is expected in your environment, the responsible identities can be exempted from the rule.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "bedrock.amazonaws.com"
    and event.action: (
        "DeleteGuardrail" or
        "UpdateGuardrail" or
        "DeleteEnforcedGuardrailConfiguration" or
        "PutEnforcedGuardrailConfiguration"
    ) and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS Bedrock Guardrail Deleted or Weakened in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).