Elastic Security Detection Rules

AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session

Last updated 3 months ago on 2025-09-25
Created a year ago on 2024-11-25

About

Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration in order to access sensitive information, or possibly exploit a vulnerability in the system.
Tags
Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0051Mitre Atlas: T0054Language: esql
Severity
medium
Risk Score
47
False Positive Examples
Users testing new model deployments or updated compliance policies without Amazon Bedrock guardrails.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws_bedrock(external, opens in a new tab or window)

Query
text code block:
from logs-aws_bedrock.invocation-*

// Create 1-minute time buckets
| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)

// Filter for invocations without guardrails
| where gen_ai.guardrail_id is null and user.id is not null

// keep only relevant fields
| keep
  @timestamp,
  Esql.time_window_date_trunc,
  gen_ai.guardrail_id,
  user.id

// count number of unsafe invocations per user
| stats
    Esql.ml_invocations_no_guardrails_count = count()
  by user.id

// Filter for suspicious volume
| where Esql.ml_invocations_no_guardrails_count > 5

// sort descending
| sort Esql.ml_invocations_no_guardrails_count desc

Install detection rules in Elastic Security

Detect AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).