AWS Bedrock Resource-Based Policy Modified or Deleted

  1[metadata]
  2creation_date = "2026/06/04"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects modification or deletion of resource-based access policies on AWS Bedrock resources via the PutResourcePolicy
 11and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including external accounts) may
 12access Bedrock resources such as agents, knowledge bases, and custom models. An adversary may attach a resource policy
 13granting an external or unexpected principal access to a Bedrock resource to establish persistence or enable
 14cross-account access, or may delete an existing policy to weaken access controls. These changes should be validated for
 15principal ownership and least-privilege intent.
 16"""
 17false_positives = [
 18    """
 19    Resource policy changes may be performed by administrators, infrastructure-as-code pipelines, or automation during
 20    legitimate onboarding, sharing, or access-management activities. Verify whether the user identity, user agent, and
 21    source IP are expected to manage Bedrock resource policies in your environment. Known automation can be exempted
 22    from the rule.
 23    """,
 24]
 25from = "now-6m"
 26index = ["logs-aws.cloudtrail-*"]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "AWS Bedrock Resource-Based Policy Modified or Deleted"
 30note = """## Triage and analysis
 31
 32### Investigating AWS Bedrock Resource-Based Policy Modified or Deleted
 33
 34AWS Bedrock resource-based policies control which principals can access Bedrock resources such as agents,
 35knowledge bases, and custom models. Adversaries can attach a policy that grants an external principal
 36access for persistence or cross-account access, or delete a policy to break existing access controls. This
 37rule detects successful `PutResourcePolicy` and `DeleteResourcePolicy` calls against the Bedrock control
 38plane.
 39
 40#### Possible investigation steps
 41
 42- **Identify the actor and context**
 43  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`,
 44    `aws.cloudtrail.user_identity.access_key_id`, `user_agent.original`, and `source.ip`.
 45  - Confirm the identity is expected to manage Bedrock resource policies and that a related change request
 46    exists.
 47- **Validate the policy change**
 48  - For `PutResourcePolicy`, inspect `aws.cloudtrail.request_parameters` and
 49    `aws.cloudtrail.flattened.request_parameters` for the target resource ARN and the policy document.
 50    Look for `Principal` values referencing external AWS account IDs, `"*"`, or unfamiliar roles.
 51  - For `DeleteResourcePolicy`, determine which resource lost its policy and whether that resource should
 52    have remained restricted.
 53- **Correlate activity**
 54  - Look for related Bedrock actions (model invocation, agent updates, knowledge base access) from the same
 55    identity or the newly granted principal.
 56  - Check for prior enumeration of Bedrock resources or other recent IAM/resource-policy changes.
 57
 58### False positive analysis
 59
 60- **Planned access management**: Legitimate sharing or onboarding may add or remove resource policies.
 61  Validate against change tickets and standard templates.
 62- **Automation**: IaC or platform pipelines may set or remove resource policies during deployment. Confirm
 63  the actor matches known automation infrastructure.
 64
 65### Response and remediation
 66
 67- If the change is unauthorized, revert the resource policy to its approved state and remove any external
 68  or overly permissive principals.
 69- Disable or rotate the credentials in `aws.cloudtrail.user_identity.access_key_id` if compromise is
 70  suspected.
 71- Review all Bedrock and IAM activity from the same identity in the surrounding time window for further
 72  access grants or persistence.
 73- Restrict `bedrock:PutResourcePolicy` and `bedrock:DeleteResourcePolicy` to administrative roles and
 74  enforce least-privilege resource policies.
 75"""
 76references = [
 77    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutResourcePolicy.html",
 78    "https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteResourcePolicy.html"
 79]
 80risk_score = 47
 81rule_id = "de0e9ed8-b68f-4249-957a-2c2bbdbd1c1b"
 82severity = "medium"
 83tags = [
 84    "Domain: Cloud",
 85    "Domain: LLM",
 86    "Data Source: AWS",
 87    "Data Source: AWS CloudTrail",
 88    "Data Source: Amazon Web Services",
 89    "Data Source: Amazon Bedrock",
 90    "Use Case: Identity and Access Audit",
 91    "Resources: Investigation Guide",
 92    "Tactic: Persistence",
 93]
 94timestamp_override = "event.ingested"
 95type = "new_terms"
 96
 97query = '''
 98data_stream.dataset: "aws.cloudtrail" and
 99    event.provider: "bedrock.amazonaws.com" and
100    event.action: ("PutResourcePolicy" or "DeleteResourcePolicy") and
101    event.outcome: "success"
102'''
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107
108[[rule.threat.technique]]
109id = "T1098"
110name = "Account Manipulation"
111reference = "https://attack.mitre.org/techniques/T1098/"
112
113[rule.threat.tactic]
114id = "TA0003"
115name = "Persistence"
116reference = "https://attack.mitre.org/tactics/TA0003/"
117
118[rule.investigation_fields]
119field_names = [
120    "@timestamp",
121    "user.name",
122    "user_agent.original",
123    "source.ip",
124    "aws.cloudtrail.user_identity.arn",
125    "aws.cloudtrail.user_identity.type",
126    "aws.cloudtrail.user_identity.access_key_id",
127    "event.action",
128    "event.provider",
129    "event.outcome",
130    "cloud.account.id",
131    "cloud.region",
132    "aws.cloudtrail.request_parameters",
133    "aws.cloudtrail.response_elements",
134]
135
136[rule.new_terms]
137field = "new_terms_fields"
138value = ["aws.cloudtrail.user_identity.arn"]
139[[rule.new_terms.history_window_start]]
140field = "history_window_start"
141value = "now-7d"