AWS Bedrock Knowledge Base or RAG Data Source Tampering

  1[metadata]
  2creation_date = "2026/06/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects control-plane mutations to AWS Bedrock knowledge bases and their backing RAG data sources via CloudTrail. An
 11adversary with access to Bedrock Agent APIs can poison the corpus that RAG-enabled models treat as authoritative by
 12ingesting attacker-controlled documents (IngestKnowledgeBaseDocuments, StartIngestionJob), deleting legitimate documents
 13(DeleteKnowledgeBaseDocuments), or repointing/altering the data source itself (CreateDataSource, UpdateDataSource,
 14DeleteDataSource, UpdateKnowledgeBase). Because downstream applications and users trust model answers grounded in this
 15stored data, tampering with the corpus is a stored data manipulation that can drive misinformation, fraud, or
 16manipulated decisions at inference time. This is a New Terms rule that looks for the first time a given identity ARN
 17performs one of these knowledge base or data source mutations within the history window.
 18"""
 19false_positives = [
 20    """
 21    Legitimate knowledge base maintenance, content onboarding, and scheduled re-ingestion performed by data engineering
 22    teams, MLOps automation, or infrastructure-as-code pipelines will generate these events. Validate the calling
 23    identity, user agent, and source IP against known automation and approved operators. If a known maintenance workflow
 24    is causing noise, it can be exempted from this rule.
 25    """,
 26]
 27from = "now-6m"
 28index = ["logs-aws.cloudtrail-*"]
 29language = "kuery"
 30license = "Elastic License v2"
 31name = "AWS Bedrock Knowledge Base or RAG Data Source Tampering"
 32note = """## Triage and analysis
 33
 34### Investigating AWS Bedrock Knowledge Base or RAG Data Source Tampering
 35
 36AWS Bedrock knowledge bases provide Retrieval-Augmented Generation (RAG) by grounding model responses in a stored
 37corpus that is synchronized from a configured data source. Because RAG-enabled applications present these grounded
 38answers as authoritative, an adversary who can ingest, delete, or repoint the underlying corpus can poison the answers
 39returned to downstream users and systems. This rule detects control-plane changes to knowledge bases and data sources
 40that could enable such corpus poisoning.
 41
 42#### Possible investigation steps
 43
 44- **Identify the actor and context**
 45  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and
 46    `aws.cloudtrail.user_identity.access_key_id`.
 47  - Examine `source.ip`, `user_agent.original`, and `aws.cloudtrail.user_identity.invoked_by` to determine whether the
 48    change came from an approved operator, automation, or an unexpected origin.
 49  - Confirm a related change request exists (content update, data source migration, scheduled ingestion).
 50- **Validate the specific action**
 51  - Inspect `event.action` and `aws.cloudtrail.flattened.request_parameters` to identify the knowledge base, data
 52    source, and any S3 bucket / ingestion configuration referenced.
 53  - For `CreateDataSource` / `UpdateDataSource`, verify the data source location (e.g., S3 bucket) is org-owned and not
 54    attacker-controlled.
 55  - For `IngestKnowledgeBaseDocuments` / `StartIngestionJob`, review what content was ingested and from where.
 56  - For `DeleteKnowledgeBaseDocuments` / `DeleteDataSource`, determine whether legitimate content was removed.
 57- **Correlate activity**
 58  - Look for prior enumeration of Bedrock resources or anomalous IAM/STS activity from the same identity.
 59  - Review `cloud.account.id` and `cloud.region` to confirm the change occurred where expected.
 60
 61### False positive analysis
 62
 63- **Planned content maintenance**: Routine ingestion, document updates, and re-syncs by data teams or MLOps automation
 64  are expected. Validate against change tickets and known automation roles.
 65- **Infrastructure-as-code**: Pipelines may create or update data sources during deployments. Confirm the source IP and
 66  ARN match expected automation.
 67
 68### Response and remediation
 69
 70- If unauthorized, suspend or disable the implicated knowledge base and data source to prevent further poisoned
 71  retrieval, and revert the corpus to a known-good state.
 72- Disable or rotate the credentials identified in `aws.cloudtrail.user_identity.access_key_id` if compromise is
 73  suspected.
 74- Audit recent ingestion jobs and document changes, and validate the integrity of the data source location.
 75- Restrict Bedrock Agent knowledge base and data source mutation permissions to a small set of trusted roles.
 76"""
 77references = [
 78    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_Operations_Agents_for_Amazon_Bedrock.html"
 79]
 80risk_score = 47
 81rule_id = "7811b5f7-9e07-4999-87aa-a950365cd327"
 82setup = """## Setup
 83
 84This rule requires the AWS CloudTrail integration. The data source and knowledge base configuration actions are management 
 85events (captured by default), but the direct document operations (`IngestKnowledgeBaseDocuments`, `DeleteKnowledgeBaseDocuments`) 
 86are Bedrock CloudTrail **data events** that are off by default. Without Bedrock data-event logging enabled on the trail, this rule 
 87provides only **partial coverage** — it will see config changes but not direct document ingestion/deletion, the primary poisoning 
 88vector. Enable Bedrock data-event logging for full coverage.
 89"""
 90
 91severity = "medium"
 92tags = [
 93    "Domain: Cloud",
 94    "Domain: LLM",
 95    "Data Source: AWS",
 96    "Data Source: AWS CloudTrail",
 97    "Data Source: Amazon Web Services",
 98    "Data Source: Amazon Bedrock",
 99    "Use Case: Threat Detection",
100    "Resources: Investigation Guide",
101    "Tactic: Impact",
102]
103timestamp_override = "event.ingested"
104type = "new_terms"
105
106query = '''
107data_stream.dataset: "aws.cloudtrail" and
108    event.provider: "bedrock.amazonaws.com" and
109    event.action: (
110        "IngestKnowledgeBaseDocuments" or
111        "DeleteKnowledgeBaseDocuments" or
112        "UpdateKnowledgeBase" or
113        "CreateDataSource" or
114        "UpdateDataSource" or
115        "DeleteDataSource" or
116        "StartIngestionJob" or
117        "DeleteKnowledgeBase"
118    ) and
119    event.outcome: "success"
120'''
121
122
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125
126[[rule.threat.technique]]
127id = "T1565"
128name = "Data Manipulation"
129reference = "https://attack.mitre.org/techniques/T1565/"
130
131[[rule.threat.technique.subtechnique]]
132id = "T1565.001"
133name = "Stored Data Manipulation"
134reference = "https://attack.mitre.org/techniques/T1565/001/"
135
136[rule.threat.tactic]
137id = "TA0040"
138name = "Impact"
139reference = "https://attack.mitre.org/tactics/TA0040/"
140
141[rule.investigation_fields]
142field_names = [
143    "@timestamp",
144    "user.name",
145    "user_agent.original",
146    "source.ip",
147    "aws.cloudtrail.user_identity.arn",
148    "aws.cloudtrail.user_identity.type",
149    "aws.cloudtrail.user_identity.access_key_id",
150    "event.action",
151    "event.provider",
152    "event.outcome",
153    "cloud.account.id",
154    "cloud.region",
155    "aws.cloudtrail.request_parameters",
156    "aws.cloudtrail.response_elements",
157]
158
159[rule.new_terms]
160field = "new_terms_fields"
161value = ["cloud.account.id"]
162
163[[rule.new_terms.history_window_start]]
164field = "history_window_start"
165value = "now-7d"