AWS Bedrock Model Invocation Logging Disabled or Modified

  1[metadata]
  2creation_date = "2026/06/04"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when an AWS Bedrock model invocation logging configuration is deleted or overwritten via the
 11DeleteModelInvocationLoggingConfiguration or PutModelInvocationLoggingConfiguration API calls. Model invocation logging
 12is the source that feeds the logs-aws_bedrock.invocation-* dataset relied upon by all data-plane Bedrock detections. An
 13adversary who has gained access to a Bedrock environment can blind defenders by deleting this configuration, or by using
 14the Put API to redirect logs to an attacker-controlled or non-monitored S3 bucket or CloudWatch log group. Because this
 15single control-plane action can neutralize the entire data-plane detection stack, it is a high-value evasion technique
 16that should be validated against expected administrative change activity.
 17"""
 18false_positives = [
 19    """
 20    Cloud or security administrators may legitimately delete or reconfigure Bedrock model invocation logging during
 21    onboarding, log destination migrations, or compliance changes. Verify whether the user identity, user agent, and
 22    source IP are expected to make this change. For PutModelInvocationLoggingConfiguration, confirm that the destination
 23    S3 bucket or CloudWatch log group remains owned and monitored by your organization. Known, planned changes can be
 24    exempted from this rule.
 25    """,
 26]
 27from = "now-6m"
 28index = ["logs-aws.cloudtrail-*"]
 29language = "kuery"
 30license = "Elastic License v2"
 31name = "AWS Bedrock Model Invocation Logging Disabled or Modified"
 32note = """## Triage and analysis
 33
 34### Investigating AWS Bedrock Model Invocation Logging Disabled or Modified
 35
 36AWS Bedrock model invocation logging captures the prompts and responses processed by foundation models and delivers them
 37to an S3 bucket or CloudWatch log group. This data feeds the `logs-aws_bedrock.invocation-*` dataset that all data-plane
 38Bedrock detections depend on. Deleting the configuration stops this telemetry entirely, while overwriting it with `Put`
 39can silently redirect logs to a destination the defender does not monitor. Either action effectively blinds the
 40data-plane detection stack, making this a high-priority defense-evasion event.
 41
 42#### Possible investigation steps
 43
 44- **Identify the actor and context**
 45  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, `aws.cloudtrail.user_identity.access_key_id`, `user_agent.original`, and `source.ip`.
 46  - Determine whether the identity is an approved Bedrock administrator and whether a change request exists.
 47- **Determine the exact action**
 48  - For `DeleteModelInvocationLoggingConfiguration`, logging is being turned off entirely — confirm this is intentional.
 49  - For `PutModelInvocationLoggingConfiguration`, inspect `aws.cloudtrail.flattened.request_parameters` for the new
 50    `s3Config` bucket name / key prefix and `cloudWatchConfig` log group, and verify they are owned and monitored by your org.
 51- **Correlate surrounding activity**
 52  - Pivot on the same identity, `source.ip`, and `cloud.account.id` for prior enumeration
 53    (`GetModelInvocationLoggingConfiguration`) or follow-on Bedrock data-plane activity (model invocations) that would now
 54    be unlogged.
 55  - Check for parallel logging-tampering against CloudTrail, Config, or GuardDuty.
 56
 57### False positive analysis
 58
 59- **Planned changes**: Logging migrations or compliance updates may legitimately reconfigure or remove the
 60  configuration. Validate against change tickets and infrastructure-as-code pipelines.
 61
 62### Response and remediation
 63
 64- If unauthorized, restore model invocation logging to the approved destination and verify log delivery resumes into
 65  `logs-aws_bedrock.invocation-*`.
 66- Review and secure any attacker-specified S3 bucket or CloudWatch log group, and treat data sent there as exposed.
 67- Audit the actor's recent Bedrock and IAM activity and rotate credentials if compromise is suspected.
 68- Restrict `bedrock:DeleteModelInvocationLoggingConfiguration` and `bedrock:PutModelInvocationLoggingConfiguration` to a
 69  small set of administrative roles and alert on changes.
 70"""
 71references = [
 72    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteModelInvocationLoggingConfiguration.html",
 73    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutModelInvocationLoggingConfiguration.html",
 74    "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html"
 75]
 76risk_score = 73
 77rule_id = "fa830742-fd41-4b12-a287-2c57bdf079ef"
 78severity = "high"
 79tags = [
 80    "Domain: Cloud",
 81    "Domain: LLM",
 82    "Data Source: AWS",
 83    "Data Source: AWS CloudTrail",
 84    "Data Source: Amazon Web Services",
 85    "Data Source: Amazon Bedrock",
 86    "Use Case: Log Auditing",
 87    "Use Case: Threat Detection",
 88    "Resources: Investigation Guide",
 89    "Tactic: Defense Evasion",
 90]
 91timestamp_override = "event.ingested"
 92type = "query"
 93
 94query = '''
 95data_stream.dataset: "aws.cloudtrail" and
 96    event.provider: "bedrock.amazonaws.com" and
 97    event.action: ("DeleteModelInvocationLoggingConfiguration" or "PutModelInvocationLoggingConfiguration") and 
 98    event.outcome: "success"
 99'''
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1562"
107name = "Impair Defenses"
108reference = "https://attack.mitre.org/techniques/T1562/"
109
110[[rule.threat.technique.subtechnique]]
111id = "T1562.008"
112name = "Disable or Modify Cloud Logs"
113reference = "https://attack.mitre.org/techniques/T1562/008/"
114
115[rule.threat.tactic]
116id = "TA0005"
117name = "Defense Evasion"
118reference = "https://attack.mitre.org/tactics/TA0005/"
119
120[rule.investigation_fields]
121field_names = [
122    "@timestamp",
123    "user.name",
124    "user_agent.original",
125    "source.ip",
126    "source.as.number",
127    "aws.cloudtrail.user_identity.arn",
128    "aws.cloudtrail.user_identity.type",
129    "aws.cloudtrail.user_identity.access_key_id",
130    "event.action",
131    "event.provider",
132    "event.outcome",
133    "cloud.account.id",
134    "cloud.region",
135    "aws.cloudtrail.flattened.request_parameters",
136    "aws.cloudtrail.response_elements",
137]