AWS Bedrock Guardrail Deleted or Weakened

  1[metadata]
  2creation_date = "2026/06/04"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects deletion, weakening, or version management of AWS Bedrock guardrails via the DeleteGuardrail, UpdateGuardrail,
 11DeleteEnforcedGuardrailConfiguration, or PutEnforcedGuardrailConfiguration APIs. Bedrock
 12guardrails enforce content, topic, word, and sensitive-information policies on model invocations. Deleting a guardrail,
 13loosening its policies, removing or overwriting the organization-enforced guardrail configuration, or creating a new
 14version to enforce a weakened configuration allows an adversary to bypass these protections — the cloud control-plane
 15equivalent of disabling a security tool. This activity should be validated against approved change management and the
 16responsible identity.
 17"""
 18false_positives = [
 19  """
 20  Platform or ML engineering teams may legitimately tune, iterate on, or decommission guardrails as part of normal
 21  development. If this is expected in your environment, the responsible identities can be exempted from the rule.
 22  """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS Bedrock Guardrail Deleted or Weakened"
 29note = """## Triage and analysis
 30
 31### Investigating AWS Bedrock Guardrail Deleted or Weakened
 32
 33AWS Bedrock guardrails enforce content, topic, word, and sensitive-information policies on model
 34invocations. Adversaries who gain access to the Bedrock control plane may delete a guardrail (`DeleteGuardrail`),
 35loosen its policies (`UpdateGuardrail`), remove or overwrite the organization-enforced guardrail
 36configuration (`DeleteEnforcedGuardrailConfiguration` / `PutEnforcedGuardrailConfiguration`) to then enforce it on
 37model deployments. This detection identifies those control-plane changes so responders can confirm
 38intent before accepting the change.
 39
 40#### Possible investigation steps
 41
 42- **Identify the actor and context**
 43  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,
 44    `aws.cloudtrail.user_identity.access_key_id`, `source.ip`, and `user_agent.original`.
 45  - Confirm a related change request exists and that the identity is authorized to manage guardrails.
 46- **Validate the change**
 47  - For `UpdateGuardrail` / `PutEnforcedGuardrailConfiguration`, inspect
 48    `aws.cloudtrail.flattened.request_parameters` and `aws.cloudtrail.response_elements` to determine
 49    which content, topic, word, or sensitive-information policies were removed or weakened.
 50  - For `DeleteGuardrail` / `DeleteEnforcedGuardrailConfiguration`, identify the targeted guardrail
 51    or org configuration and whether protected workloads still reference it.
 52- **Correlate activity**
 53  - Look for surrounding Bedrock `InvokeModel` / `Converse` activity and other defense-impairing
 54    actions (e.g., logging or detector changes) from the same identity.
 55  - Check for prior enumeration such as `ListGuardrails` or `GetGuardrail`.
 56
 57### Response and remediation
 58
 59- If unauthorized, restore the guardrail and/or org-enforced configuration to its approved state and
 60  re-associate it with affected Bedrock workloads.
 61- Disable the access key in `aws.cloudtrail.user_identity.access_key_id` and review the actor's
 62  recent activity; rotate credentials if compromise is suspected.
 63- Restrict `bedrock:DeleteGuardrail`, `bedrock:UpdateGuardrail`, and the enforced-configuration
 64  permissions to a small set of admin roles, and enforce guardrail state via AWS Config or SCPs.
 65"""
 66references = [
 67    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteGuardrail.html",
 68    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_UpdateGuardrail.html",
 69    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html"
 70]
 71risk_score = 47
 72rule_id = "cdf7b922-909c-440c-8df0-0efe72aa7bea"
 73severity = "medium"
 74tags = [
 75    "Domain: Cloud",
 76    "Domain: LLM",
 77    "Data Source: AWS",
 78    "Data Source: AWS CloudTrail",
 79    "Data Source: Amazon Web Services",
 80    "Data Source: Amazon Bedrock",
 81    "Use Case: Threat Detection",
 82    "Resources: Investigation Guide",
 83    "Tactic: Defense Evasion",
 84]
 85timestamp_override = "event.ingested"
 86type = "query"
 87
 88query = '''
 89data_stream.dataset: "aws.cloudtrail"
 90    and event.provider: "bedrock.amazonaws.com"
 91    and event.action: (
 92        "DeleteGuardrail" or
 93        "UpdateGuardrail" or
 94        "DeleteEnforcedGuardrailConfiguration" or
 95        "PutEnforcedGuardrailConfiguration"
 96    ) and event.outcome: "success"
 97'''
 98
 99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102
103[[rule.threat.technique]]
104id = "T1562"
105name = "Impair Defenses"
106reference = "https://attack.mitre.org/techniques/T1562/"
107
108[[rule.threat.technique.subtechnique]]
109id = "T1562.001"
110name = "Disable or Modify Tools"
111reference = "https://attack.mitre.org/techniques/T1562/001/"
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"
117
118[rule.investigation_fields]
119field_names = [
120    "@timestamp",
121    "user.name",
122    "user_agent.original",
123    "source.ip",
124    "aws.cloudtrail.user_identity.arn",
125    "aws.cloudtrail.user_identity.type",
126    "aws.cloudtrail.user_identity.access_key_id",
127    "event.action",
128    "event.provider",
129    "event.outcome",
130    "cloud.account.id",
131    "cloud.region",
132    "aws.cloudtrail.request_parameters",
133    "aws.cloudtrail.response_elements",
134]