AWS Bedrock Model Invocation Logging Disabled or Modified

Last updated 3 days ago on 2026-06-04

Created 3 days ago on 2026-06-04

About

Detects when an AWS Bedrock model invocation logging configuration is deleted or overwritten via the DeleteModelInvocationLoggingConfiguration or PutModelInvocationLoggingConfiguration API calls. Model invocation logging is the source that feeds the logs-aws_bedrock.invocation-* dataset relied upon by all data-plane Bedrock detections. An adversary who has gained access to a Bedrock environment can blind defenders by deleting this configuration, or by using the Put API to redirect logs to an attacker-controlled or non-monitored S3 bucket or CloudWatch log group. Because this single control-plane action can neutralize the entire data-plane detection stack, it is a high-value evasion technique that should be validated against expected administrative change activity.

Tags

Domain: CloudDomain: LLMData Source: AWSData Source: AWS CloudTrailData Source: Amazon Web ServicesData Source: Amazon BedrockUse Case: Log AuditingUse Case: Threat DetectionTactic: Defense EvasionLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples

Cloud or security administrators may legitimately delete or reconfigure Bedrock model invocation logging during onboarding, log destination migrations, or compliance changes. Verify whether the user identity, user agent, and source IP are expected to make this change. For PutModelInvocationLoggingConfiguration, confirm that the destination S3 bucket or CloudWatch log group remains owned and monitored by your organization. Known, planned changes can be exempted from this rule.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: ("DeleteModelInvocationLoggingConfiguration" or "PutModelInvocationLoggingConfiguration") and 
    event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS Bedrock Model Invocation Logging Disabled or Modified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).