AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/05/02"
  3maturity = "production"
  4updated_date = "2025/07/16"
  5
  6[rule]
  7author = ["Elastic"]
  8description = """
  9Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action,
 10increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting
 11to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.
 12"""
 13false_positives = ["Legitimate misunderstanding by users or overly strict policies"]
 14from = "now-60m"
 15interval = "10m"
 16language = "esql"
 17license = "Elastic License v2"
 18name = "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request"
 19note = """## Triage and analysis
 20
 21### Investigating AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
 22
 23Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
 24
 25It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
 26
 27Through Guardrail, organizations can define "denied topics" to prevent the model from generating content on specific, undesired subjects,
 28and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.
 29
 30#### Possible investigation steps
 31
 32- Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action.
 33- Investigate the user activity that might indicate a potential brute force attack.
 34- Investigate other alerts associated with the user account during the past 48 hours.
 35- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
 36- Examine the account's prompts and responses in the last 24 hours.
 37- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
 38
 39### False positive analysis
 40
 41- Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
 42
 43### Response and remediation
 44
 45- Initiate the incident response process based on the outcome of the triage.
 46- Disable or limit the account during the investigation and response.
 47- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
 48    - Identify the account role in the cloud environment.
 49    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
 50    - Identify any regulatory or legal ramifications related to this activity.
 51- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 52- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 53- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 54"""
 55references = [
 56    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
 57    "https://atlas.mitre.org/techniques/AML.T0051",
 58    "https://atlas.mitre.org/techniques/AML.T0054",
 59    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 60]
 61risk_score = 21
 62rule_id = "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c"
 63setup = """## Setup
 64
 65This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
 66
 67https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
 68"""
 69severity = "low"
 70tags = [
 71    "Domain: LLM",
 72    "Data Source: AWS Bedrock",
 73    "Data Source: AWS S3",
 74    "Resources: Investigation Guide",
 75    "Use Case: Policy Violation",
 76    "Mitre Atlas: T0051",
 77    "Mitre Atlas: T0054",
 78]
 79timestamp_override = "event.ingested"
 80type = "esql"
 81
 82query = '''
 83from logs-aws_bedrock.invocation-*
 84
 85// Filter for policy-blocked requests
 86| where gen_ai.policy.action == "BLOCKED"
 87
 88// count number of policy matches per request (multi-valued)
 89| eval Esql.ml_policy_violations_mv_count = mv_count(gen_ai.policy.name)
 90
 91// Filter for requests with more than one policy match
 92| where Esql.ml_policy_violations_mv_count > 1
 93
 94// keep relevant fields
 95| keep
 96  gen_ai.policy.action,
 97  Esql.ml_policy_violations_mv_count,
 98  user.id,
 99  gen_ai.request.model.id,
100  cloud.account.id
101
102// Aggregate requests with multiple violations
103| stats
104    Esql.ml_policy_violations_total_unique_requests_count = count(*)
105  by
106    Esql.ml_policy_violations_mv_count,
107    user.id,
108    gen_ai.request.model.id,
109    cloud.account.id
110
111// sort by number of unique requests
112| sort Esql.ml_policy_violations_total_unique_requests_count desc
113'''

Triage and analysis

Investigating AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.

It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.

Through Guardrail, organizations can define "denied topics" to prevent the model from generating content on specific, undesired subjects, and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.

Possible investigation steps

  • Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action.
  • Investigate the user activity that might indicate a potential brute force attack.
  • Investigate other alerts associated with the user account during the past 48 hours.
  • Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
  • Examine the account's prompts and responses in the last 24 hours.
  • If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.

False positive analysis

  • Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Disable or limit the account during the investigation and response.
  • Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
    • Identify the account role in the cloud environment.
    • Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
    • Identify any regulatory or legal ramifications related to this activity.
  • Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
  • Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

References

Related rules

to-top