AWS Bedrock Provisioned Model Throughput Tampering

  1[metadata]
  2creation_date = "2026/06/04"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects creation, modification, or deletion of AWS Bedrock Provisioned Model Throughput via the
 11CreateProvisionedModelThroughput, UpdateProvisionedModelThroughput, and DeleteProvisionedModelThroughput APIs.
 12Provisioned Throughput reserves dedicated, billed model capacity for Amazon Bedrock. An adversary who scales this
 13capacity up can drive large, unauthorized cost (cloud resource/bill hijacking), while deleting reserved throughput can
 14cause denial of service to production workloads that depend on that committed capacity. These control-plane changes
 15should be validated against approved capacity-planning and change-management processes.
 16"""
 17false_positives = [
 18    """
 19    Provisioned Throughput changes may be performed by platform, ML, or FinOps teams as part of capacity planning,
 20    scaling for production demand, or cost optimization. Infrastructure-as-code pipelines and automation roles may also
 21    create, update, or delete provisioned throughput during deployments. Verify that the user identity, user agent, and
 22    source IP correspond to known administrators or automation and that a corresponding change request exists. If known
 23    behavior is causing false positives, it can be exempted from the rule.
 24    """,
 25]
 26from = "now-6m"
 27index = ["logs-aws.cloudtrail-*"]
 28language = "kuery"
 29license = "Elastic License v2"
 30name = "AWS Bedrock Provisioned Model Throughput Tampering"
 31note = """## Triage and analysis
 32
 33### Investigating AWS Bedrock Provisioned Model Throughput Tampering
 34
 35Amazon Bedrock Provisioned Throughput reserves dedicated, billed model capacity for foundation models.
 36Because this capacity is committed and metered, adversaries can abuse it in two ways: scaling capacity up to
 37incur large, unauthorized cloud spend (resource/bill hijacking), or deleting reserved throughput to deny
 38service to production workloads that rely on committed capacity. This rule identifies
 39`CreateProvisionedModelThroughput`, `UpdateProvisionedModelThroughput`, and `DeleteProvisionedModelThroughput`
 40calls so responders can confirm whether the change was authorized.
 41
 42#### Possible investigation steps
 43
 44- **Identify the actor and context**
 45  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,
 46    `aws.cloudtrail.user_identity.access_key_id`, `user_agent.original`, and `source.ip`.
 47  - Determine whether the identity is an approved administrator, ML/platform engineer, or automation role.
 48  - Confirm a corresponding change request or capacity-planning ticket exists.
 49- **Validate the request details**
 50  - Inspect `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` for the model ID,
 51    commitment duration, and requested model units. Unusually large model-unit counts or long commitment
 52    terms on a Create/Update may indicate cost-driven abuse.
 53  - For `DeleteProvisionedModelThroughput`, identify which provisioned model was removed and whether any
 54    production workload depended on it.
 55- **Correlate activity**
 56  - Review other Bedrock control-plane actions (e.g., model invocation logging changes, guardrail changes)
 57    and IAM/STS activity from the same identity around the same time.
 58  - Check `cloud.account.id` and `cloud.region` for whether the activity occurred in an expected account/region.
 59
 60### False positive analysis
 61
 62- **Capacity planning**: Platform, ML, or FinOps teams may legitimately create, update, or delete provisioned
 63  throughput. Validate against change tickets and standard capacity-management procedures.
 64- **Automation**: IaC or deployment pipelines may manage provisioned throughput on bootstrap or teardown.
 65  Confirm the source IP and ARN match expected automation infrastructure.
 66
 67### Response and remediation
 68
 69- If unauthorized, immediately disable the offending access key or role and revert the change (delete
 70  unauthorized provisioned throughput, or recreate deleted reserved capacity required by production).
 71- Review billing and Cost Explorer for unexpected Bedrock provisioned-throughput charges.
 72- Audit the actor's recent activity and rotate credentials if compromise is suspected.
 73- Restrict `bedrock:CreateProvisionedModelThroughput`, `bedrock:UpdateProvisionedModelThroughput`, and
 74  `bedrock:DeleteProvisionedModelThroughput` to a small set of administrative roles and enforce approval
 75  workflows and budget alarms.
 76
 77### Additional information
 78
 79- **[Amazon Bedrock Provisioned Throughput](https://docs.aws.amazon.com/bedrock/latest/userguide/prov-throughput.html)**
 80"""
 81references = [
 82    "https://docs.aws.amazon.com/bedrock/latest/userguide/prov-throughput.html",
 83    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_CreateProvisionedModelThroughput.html",
 84    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteProvisionedModelThroughput.html",
 85    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_UpdateProvisionedModelThroughput.html"
 86]
 87risk_score = 47
 88rule_id = "42b5e06d-b297-4286-a004-ae0da92c5b81"
 89severity = "medium"
 90tags = [
 91    "Domain: Cloud",
 92    "Domain: LLM",
 93    "Data Source: AWS",
 94    "Data Source: AWS CloudTrail",
 95    "Data Source: Amazon Web Services",
 96    "Data Source: Amazon Bedrock",
 97    "Use Case: Threat Detection",
 98    "Resources: Investigation Guide",
 99    "Tactic: Impact",
100]
101timestamp_override = "event.ingested"
102type = "query"
103
104query = '''
105data_stream.dataset: "aws.cloudtrail" and
106    event.provider: "bedrock.amazonaws.com" and
107    event.action: (
108        "CreateProvisionedModelThroughput" or
109        "UpdateProvisionedModelThroughput" or
110        "DeleteProvisionedModelThroughput"
111    ) and
112    event.outcome: "success"
113'''
114
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118
119[[rule.threat.technique]]
120id = "T1496"
121name = "Resource Hijacking"
122reference = "https://attack.mitre.org/techniques/T1496/"
123
124[[rule.threat.technique.subtechnique]]
125id = "T1496.004"
126name = "Cloud Service Hijacking"
127reference = "https://attack.mitre.org/techniques/T1496/004/"
128
129[rule.threat.tactic]
130id = "TA0040"
131name = "Impact"
132reference = "https://attack.mitre.org/tactics/TA0040/"
133
134[rule.investigation_fields]
135field_names = [
136    "@timestamp",
137    "user.name",
138    "user_agent.original",
139    "source.ip",
140    "aws.cloudtrail.user_identity.arn",
141    "aws.cloudtrail.user_identity.type",
142    "aws.cloudtrail.user_identity.access_key_id",
143    "event.action",
144    "event.provider",
145    "event.outcome",
146    "cloud.account.id",
147    "cloud.region",
148    "aws.cloudtrail.request_parameters",
149    "aws.cloudtrail.response_elements",
150]