AWS Bedrock Automated Reasoning Safety Policy Tampering
Detects deletion or modification of AWS Bedrock Automated Reasoning policies via the DeleteAutomatedReasoningPolicy, UpdateAutomatedReasoningPolicy, or UpdateAutomatedReasoningPolicyAnnotations CloudTrail actions. Automated Reasoning policies are a Bedrock safety and validation control that constrains model outputs against formal rules. An adversary who deletes a policy or alters the policy definition or its annotations weakens an enforced output-validation defense, potentially allowing unsafe or non-compliant model responses to pass unchecked. Benign build, test-workflow, and test-case CRUD operations are intentionally excluded as they have no coherent abuse path.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/04"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2026/06/04"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects deletion or modification of AWS Bedrock Automated Reasoning policies via the DeleteAutomatedReasoningPolicy,
11UpdateAutomatedReasoningPolicy, or UpdateAutomatedReasoningPolicyAnnotations CloudTrail actions. Automated Reasoning
12policies are a Bedrock safety and validation control that constrains model outputs against formal rules. An adversary
13who deletes a policy or alters the policy definition or its annotations weakens an enforced output-validation defense,
14potentially allowing unsafe or non-compliant model responses to pass unchecked. Benign build, test-workflow, and
15test-case CRUD operations are intentionally excluded as they have no coherent abuse path.
16"""
17false_positives = [
18 """
19 Policy administrators, ML platform engineers, or infrastructure-as-code pipelines may legitimately update or remove
20 Automated Reasoning policies during model governance changes, policy tuning, or environment teardown. Verify that
21 the user identity, source IP, and user agent correspond to an approved change and that a corresponding change
22 request exists. Known automation roles can be exempted if they generate recurring noise.
23 """,
24]
25from = "now-6m"
26index = ["logs-aws.cloudtrail-*"]
27language = "kuery"
28license = "Elastic License v2"
29name = "AWS Bedrock Automated Reasoning Safety Policy Tampering"
30note = """## Triage and analysis
31
32### Investigating AWS Bedrock Automated Reasoning Safety Policy Tampering
33
34AWS Bedrock Automated Reasoning policies enforce formal, rule-based validation of model outputs, acting as a
35safety control that constrains what a model is permitted to return. Deleting a policy or modifying its
36definition or annotations directly weakens this control. Adversaries who have gained access to the Bedrock
37control plane may tamper with these policies to evade output-validation defenses, enabling unsafe, manipulated,
38or non-compliant model behavior. This detection identifies `DeleteAutomatedReasoningPolicy`,
39`UpdateAutomatedReasoningPolicy`, and `UpdateAutomatedReasoningPolicyAnnotations` calls so responders can
40confirm whether the change was authorized.
41
42#### Possible investigation steps
43
44- **Identify the actor and context**
45 - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,
46 `aws.cloudtrail.user_identity.access_key_id`, `source.ip`, and `user_agent.original`.
47 - Determine whether the identity normally administers Bedrock safety policies and whether the action aligns
48 with an approved change request.
49- **Review the specific action**
50 - For `DeleteAutomatedReasoningPolicy`, identify the deleted policy in
51 `aws.cloudtrail.flattened.request_parameters` and confirm whether a replacement control exists.
52 - For `UpdateAutomatedReasoningPolicy` / `UpdateAutomatedReasoningPolicyAnnotations`, inspect
53 `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` to understand what was changed
54 and whether the change loosens validation constraints.
55- **Correlate surrounding activity**
56 - Look for other Defense Evasion or Bedrock control-plane activity from the same identity in the surrounding
57 window (model invocation changes, guardrail modifications, logging changes).
58 - Check `cloud.account.id` and `cloud.region` to scope blast radius across the environment.
59
60### False positive analysis
61
62- **Planned policy maintenance**: Governance teams may legitimately tune or retire Automated Reasoning
63 policies. Validate against change tickets and standard templates.
64- **Automation**: IaC or CI/CD pipelines may update policies during deployments. Confirm the actor maps to
65 known automation infrastructure.
66
67### Response and remediation
68
69- If the change is unauthorized, restore the prior policy definition or recreate the deleted policy from a
70 known-good configuration.
71- Revoke or rotate the credentials in `aws.cloudtrail.user_identity.access_key_id` if compromise is suspected.
72- Review all Bedrock control-plane activity from the same identity in the preceding window for further
73 defense-impairing actions.
74- Restrict `bedrock:DeleteAutomatedReasoningPolicy` and `bedrock:UpdateAutomatedReasoningPolicy*` permissions
75 to a small set of administrative roles and enforce approval workflows.
76"""
77references = [
78 "https://docs.aws.amazon.com/bedrock/latest/userguide/automated-reasoning.html"
79]
80risk_score = 47
81rule_id = "2d7822a5-418c-4cde-a96e-e337d77b67e7"
82severity = "medium"
83tags = [
84 "Domain: Cloud",
85 "Domain: LLM",
86 "Data Source: AWS",
87 "Data Source: AWS CloudTrail",
88 "Data Source: Amazon Web Services",
89 "Data Source: Amazon Bedrock",
90 "Use Case: Threat Detection",
91 "Resources: Investigation Guide",
92 "Tactic: Defense Evasion"
93]
94timestamp_override = "event.ingested"
95type = "query"
96
97query = '''
98data_stream.dataset: "aws.cloudtrail" and
99 event.provider: "bedrock.amazonaws.com" and
100 event.action: (
101 "DeleteAutomatedReasoningPolicy" or
102 "UpdateAutomatedReasoningPolicy" or
103 "UpdateAutomatedReasoningPolicyAnnotations"
104 ) and event.outcome:success
105'''
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110
111[[rule.threat.technique]]
112id = "T1562"
113name = "Impair Defenses"
114reference = "https://attack.mitre.org/techniques/T1562/"
115
116[[rule.threat.technique.subtechnique]]
117id = "T1562.001"
118name = "Disable or Modify Tools"
119reference = "https://attack.mitre.org/techniques/T1562/001/"
120
121[rule.threat.tactic]
122id = "TA0005"
123name = "Defense Evasion"
124reference = "https://attack.mitre.org/tactics/TA0005/"
125
126[rule.investigation_fields]
127field_names = [
128 "@timestamp",
129 "user.name",
130 "user_agent.original",
131 "source.ip",
132 "source.as.number",
133 "aws.cloudtrail.user_identity.arn",
134 "aws.cloudtrail.user_identity.type",
135 "aws.cloudtrail.user_identity.access_key_id",
136 "event.action",
137 "event.provider",
138 "event.outcome",
139 "cloud.account.id",
140 "cloud.region",
141 "aws.cloudtrail.request_parameters",
142 "aws.cloudtrail.response_elements",
143]
Triage and analysis
Investigating AWS Bedrock Automated Reasoning Safety Policy Tampering
AWS Bedrock Automated Reasoning policies enforce formal, rule-based validation of model outputs, acting as a
safety control that constrains what a model is permitted to return. Deleting a policy or modifying its
definition or annotations directly weakens this control. Adversaries who have gained access to the Bedrock
control plane may tamper with these policies to evade output-validation defenses, enabling unsafe, manipulated,
or non-compliant model behavior. This detection identifies DeleteAutomatedReasoningPolicy,
UpdateAutomatedReasoningPolicy, and UpdateAutomatedReasoningPolicyAnnotations calls so responders can
confirm whether the change was authorized.
Possible investigation steps
- Identify the actor and context
- Review
aws.cloudtrail.user_identity.arn,aws.cloudtrail.user_identity.type,aws.cloudtrail.user_identity.access_key_id,source.ip, anduser_agent.original. - Determine whether the identity normally administers Bedrock safety policies and whether the action aligns with an approved change request.
- Review
- Review the specific action
- For
DeleteAutomatedReasoningPolicy, identify the deleted policy inaws.cloudtrail.flattened.request_parametersand confirm whether a replacement control exists. - For
UpdateAutomatedReasoningPolicy/UpdateAutomatedReasoningPolicyAnnotations, inspectaws.cloudtrail.request_parametersandaws.cloudtrail.response_elementsto understand what was changed and whether the change loosens validation constraints.
- For
- Correlate surrounding activity
- Look for other Defense Evasion or Bedrock control-plane activity from the same identity in the surrounding window (model invocation changes, guardrail modifications, logging changes).
- Check
cloud.account.idandcloud.regionto scope blast radius across the environment.
False positive analysis
- Planned policy maintenance: Governance teams may legitimately tune or retire Automated Reasoning policies. Validate against change tickets and standard templates.
- Automation: IaC or CI/CD pipelines may update policies during deployments. Confirm the actor maps to known automation infrastructure.
Response and remediation
- If the change is unauthorized, restore the prior policy definition or recreate the deleted policy from a known-good configuration.
- Revoke or rotate the credentials in
aws.cloudtrail.user_identity.access_key_idif compromise is suspected. - Review all Bedrock control-plane activity from the same identity in the preceding window for further defense-impairing actions.
- Restrict
bedrock:DeleteAutomatedReasoningPolicyandbedrock:UpdateAutomatedReasoningPolicy*permissions to a small set of administrative roles and enforce approval workflows.
References
Related rules
- AWS Bedrock Guardrail Deleted or Weakened
- AWS Bedrock Model Invocation Logging Disabled or Modified
- AWS Bedrock Provisioned Model Throughput Tampering
- AWS Bedrock Foundation Model Access Enabled or Entitlement Granted
- AWS Bedrock Unauthorized Foundation Model Access Attempt