AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Requestedit
Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.
Rule type: esql
Rule indices: None
Severity: low
Risk score: 21
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: LLM
- Data Source: AWS Bedrock
- Data Source: AWS S3
- Resources: Investigation Guide
- Use Case: Policy Violation
- Mitre Atlas: T0051
- Mitre Atlas: T0054
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setupedit
Setup
This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
Rule queryedit
from logs-aws_bedrock.invocation-* | where gen_ai.policy.action == "BLOCKED" | eval policy_violations = mv_count(gen_ai.policy.name) | where policy_violations > 1 | stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id | sort total_unique_request_violations desc