Elastic Security Detection Rules

AWS Bedrock Resource-Based Policy Modified or Deleted

Last updated 3 days ago on 2026-06-04
Created 3 days ago on 2026-06-04

About

Detects modification or deletion of resource-based access policies on AWS Bedrock resources via the PutResourcePolicy and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including external accounts) may access Bedrock resources such as agents, knowledge bases, and custom models. An adversary may attach a resource policy granting an external or unexpected principal access to a Bedrock resource to establish persistence or enable cross-account access, or may delete an existing policy to weaken access controls. These changes should be validated for principal ownership and least-privilege intent.
Tags
Domain: CloudDomain: LLMData Source: AWSData Source: AWS CloudTrailData Source: Amazon Web ServicesData Source: Amazon BedrockUse Case: Identity and Access AuditTactic: PersistenceLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples
Resource policy changes may be performed by administrators, infrastructure-as-code pipelines, or automation during legitimate onboarding, sharing, or access-management activities. Verify whether the user identity, user agent, and source IP are expected to manage Bedrock resource policies in your environment. Known automation can be exempted from the rule.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: ("PutResourcePolicy" or "DeleteResourcePolicy") and
    event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS Bedrock Resource-Based Policy Modified or Deleted in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).