AWS Bedrock Model Invocation Logging Disabled or Modified

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Bedrock Model Invocation Logging Disabled or Modified

Detects when an AWS Bedrock model invocation logging configuration is deleted or overwritten via the DeleteModelInvocationLoggingConfiguration or PutModelInvocationLoggingConfiguration API calls. Model invocation logging is the source that feeds the logs-aws_bedrock.invocation-* dataset relied upon by all data-plane Bedrock detections. An adversary who has gained access to a Bedrock environment can blind defenders by deleting this configuration, or by using the Put API to redirect logs to an attacker-controlled or non-monitored S3 bucket or CloudWatch log group. Because this single control-plane action can neutralize the entire data-plane detection stack, it is a high-value evasion technique that should be validated against expected administrative change activity.

Rule type: query

Rule indices:

logs-aws.cloudtrail-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Domain: LLM
Data Source: AWS
Data Source: AWS CloudTrail
Data Source: Amazon Web Services
Data Source: Amazon Bedrock
Use Case: Log Auditing
Use Case: Threat Detection
Resources: Investigation Guide
Tactic: Defense Evasion

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS Bedrock Model Invocation Logging Disabled or Modified

AWS Bedrock model invocation logging captures the prompts and responses processed by foundation models and delivers them to an S3 bucket or CloudWatch log group. This data feeds the logs-aws_bedrock.invocation-* dataset that all data-plane Bedrock detections depend on. Deleting the configuration stops this telemetry entirely, while overwriting it with Put can silently redirect logs to a destination the defender does not monitor. Either action effectively blinds the data-plane detection stack, making this a high-priority defense-evasion event.

Possible investigation steps

Identify the actor and context
Review aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.access_key_id, user_agent.original, and source.ip.
Determine whether the identity is an approved Bedrock administrator and whether a change request exists.
Determine the exact action
For DeleteModelInvocationLoggingConfiguration, logging is being turned off entirely — confirm this is intentional.
For PutModelInvocationLoggingConfiguration, inspect aws.cloudtrail.flattened.request_parameters for the new s3Config bucket name / key prefix and cloudWatchConfig log group, and verify they are owned and monitored by your org.
Correlate surrounding activity
Pivot on the same identity, source.ip, and cloud.account.id for prior enumeration (GetModelInvocationLoggingConfiguration) or follow-on Bedrock data-plane activity (model invocations) that would now be unlogged.
Check for parallel logging-tampering against CloudTrail, Config, or GuardDuty.

False positive analysis

Planned changes: Logging migrations or compliance updates may legitimately reconfigure or remove the configuration. Validate against change tickets and infrastructure-as-code pipelines.

Response and remediation

If unauthorized, restore model invocation logging to the approved destination and verify log delivery resumes into logs-aws_bedrock.invocation-*.
Review and secure any attacker-specified S3 bucket or CloudWatch log group, and treat data sent there as exposed.
Audit the actor’s recent Bedrock and IAM activity and rotate credentials if compromise is suspected.
Restrict bedrock:DeleteModelInvocationLoggingConfiguration and bedrock:PutModelInvocationLoggingConfiguration to a small set of administrative roles and alert on changes.

Rule query

edit

data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: ("DeleteModelInvocationLoggingConfiguration" or "PutModelInvocationLoggingConfiguration") and
    event.outcome: "success"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
Sub-technique:
- Name: Disable or Modify Cloud Logs
- ID: T1562.008
- Reference URL: https://attack.mitre.org/techniques/T1562/008/

« AWS Bedrock Knowledge Base or RAG Data Source Tampering AWS Bedrock Provisioned Model Throughput Tampering »