AWS Bedrock Agent or Action Group Manipulation

  1[metadata]
  2creation_date = "2026/06/04"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects modification of deployed Amazon Bedrock agents and their action groups, collaborators, or aliases via the
 11Bedrock Agent control plane. Adversaries with access to an AWS account can tamper with an existing, trusted agent by
 12altering its instructions (UpdateAgent), adding or changing action groups that wire the agent to Lambda functions or
 13APIs (CreateAgentActionGroup, UpdateAgentActionGroup), attaching or modifying collaborators (AssociateAgentCollaborator,
 14UpdateAgentCollaborator), or repointing an alias to a tampered version (CreateAgentAlias, UpdateAgentAlias). A
 15PrepareAgent call is required to make a tampered configuration live. By implanting malicious behavior into an agent that
 16legitimate users continue to invoke, an attacker can maintain durable access through a trusted component. Creation of
 17brand-new agents (CreateAgent) is intentionally excluded as lower-signal activity.
 18"""
 19false_positives = [
 20    """
 21    Bedrock agent and action group changes are common during legitimate development, prompt tuning, and CI/CD
 22    deployments. Verify whether the user identity, user agent, and/or source IP should be modifying agents in your
 23    environment, and confirm a corresponding change request exists. Automation roles (IaC pipelines, deployment tooling)
 24    may routinely call these APIs and can be exempted from the rule if they generate false positives.
 25    """,
 26]
 27from = "now-6m"
 28index = ["logs-aws.cloudtrail-*"]
 29language = "kuery"
 30license = "Elastic License v2"
 31name = "AWS Bedrock Agent or Action Group Manipulation"
 32note = """## Triage and analysis
 33
 34### Investigating AWS Bedrock Agent or Action Group Manipulation
 35
 36Amazon Bedrock agents orchestrate foundation models with developer-defined instructions and action groups that connect
 37the agent to Lambda functions or APIs. Because end users and applications repeatedly invoke deployed agents, an attacker
 38who modifies an existing agent's instructions, action groups, collaborators, or alias can implant durable malicious
 39behavior into a trusted component without deploying any new infrastructure. The `PrepareAgent` call makes a tampered
 40configuration live, and updating an alias repoints traffic to the tampered version.
 41
 42This rule identifies changes to existing Bedrock agents while intentionally excluding `CreateAgent`, which represents
 43net-new resource creation rather than tampering with established, trusted agents.
 44
 45#### Possible investigation steps
 46
 47- **Identify the actor and context**
 48  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and
 49    `aws.cloudtrail.user_identity.access_key_id` to determine who made the change.
 50  - Inspect `source.ip`, `user_agent.original`, and `aws.cloudtrail.user_identity.invoked_by` to establish whether the
 51    change came from an interactive session, automation, or an unfamiliar location.
 52  - Confirm whether a corresponding change request or deployment exists for the affected agent.
 53- **Examine the change**
 54  - Review `aws.cloudtrail.request_parameters` and `aws.cloudtrail.flattened.request_parameters` for the targeted agent
 55    ID, action group definition, Lambda ARN, collaborator, or alias routing configuration.
 56  - For `UpdateAgent`, inspect the modified instruction text for prompt-injection or data-exfiltration intent.
 57  - For action group changes, validate the referenced Lambda function or API schema ownership and intent.
 58  - For alias changes, confirm which agent version the alias now points to.
 59- **Correlate activity**
 60  - Look for a `PrepareAgent` call following configuration changes, which indicates the tampered config was made live.
 61  - Search for surrounding IAM, Lambda, or STS activity from the same identity that could indicate broader compromise.
 62
 63### False positive analysis
 64
 65- **Planned development and tuning**: Legitimate developers regularly update agent instructions and action groups.
 66  Validate against change tickets and known engineering activity.
 67- **Automation**: IaC pipelines and deployment tooling may call these APIs on every release. Exempt known automation
 68  roles if they cause recurring false positives.
 69
 70### Response and remediation
 71
 72- If the change is unauthorized, revert the agent, action group, collaborator, and alias to a known-good version and
 73  re-run `PrepareAgent` to restore trusted behavior.
 74- Disable or rotate the credentials identified in `aws.cloudtrail.user_identity.access_key_id` if compromise is
 75  suspected.
 76- Review the affected agent's action group Lambda functions and APIs for malicious code or data flows.
 77- Restrict `bedrock:UpdateAgent`, `bedrock:*AgentActionGroup`, `bedrock:*AgentCollaborator`, `bedrock:*AgentAlias`, and
 78  `bedrock:PrepareAgent` permissions to a small set of administrative roles.
 79"""
 80references = [
 81    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_UpdateAgent.html",
 82    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgentActionGroup.html",
 83    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_PrepareAgent.html",
 84]
 85risk_score = 47
 86rule_id = "a953f6d5-01cd-4f4c-94dc-207e34965cac"
 87severity = "medium"
 88tags = [
 89    "Domain: Cloud",
 90    "Domain: LLM",
 91    "Data Source: AWS",
 92    "Data Source: AWS CloudTrail",
 93    "Data Source: Amazon Web Services",
 94    "Data Source: Amazon Bedrock",
 95    "Use Case: Threat Detection",
 96    "Resources: Investigation Guide",
 97    "Tactic: Persistence",
 98]
 99timestamp_override = "event.ingested"
100type = "new_terms"
101
102query = '''
103data_stream.dataset: "aws.cloudtrail" and
104    event.provider: "bedrock.amazonaws.com" and
105    event.action: (
106        "UpdateAgent" or
107        "CreateAgentActionGroup" or
108        "UpdateAgentActionGroup" or
109        "AssociateAgentCollaborator" or
110        "UpdateAgentCollaborator" or
111        "CreateAgentAlias" or
112        "UpdateAgentAlias" or
113        "PrepareAgent"
114    ) and
115    event.outcome: "success"
116'''
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121
122[[rule.threat.technique]]
123id = "T1505"
124name = "Server Software Component"
125reference = "https://attack.mitre.org/techniques/T1505/"
126
127[rule.threat.tactic]
128id = "TA0003"
129name = "Persistence"
130reference = "https://attack.mitre.org/tactics/TA0003/"
131
132[rule.investigation_fields]
133field_names = [
134    "@timestamp",
135    "user.name",
136    "user_agent.original",
137    "source.ip",
138    "aws.cloudtrail.user_identity.arn",
139    "aws.cloudtrail.user_identity.type",
140    "aws.cloudtrail.user_identity.access_key_id",
141    "aws.cloudtrail.user_identity.invoked_by",
142    "event.action",
143    "event.provider",
144    "event.outcome",
145    "cloud.account.id",
146    "cloud.region",
147    "aws.cloudtrail.request_parameters",
148    "aws.cloudtrail.response_elements",
149]
150
151[rule.new_terms]
152field = "new_terms_fields"
153value = ["aws.cloudtrail.user_identity.arn"]
154[[rule.new_terms.history_window_start]]
155field = "history_window_start"
156value = "now-7d"