« AWS Bedrock Agent Created by IAM User or Root AWS Bedrock Unauthorized Foundation Model Access Attempt »
Elastic Docs Elastic Security [8.19] Downloadable rule update v8.19.26

AWS Bedrock Agent or Action Group Manipulation

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Bedrock Agent or Action Group Manipulation

edit

Detects modification of deployed Amazon Bedrock agents and their action groups, collaborators, or aliases via the Bedrock Agent control plane. Adversaries with access to an AWS account can tamper with an existing, trusted agent by altering its instructions (UpdateAgent), adding or changing action groups that wire the agent to Lambda functions or APIs (CreateAgentActionGroup, UpdateAgentActionGroup), attaching or modifying collaborators (AssociateAgentCollaborator, UpdateAgentCollaborator), or repointing an alias to a tampered version (CreateAgentAlias, UpdateAgentAlias). A PrepareAgent call is required to make a tampered configuration live. By implanting malicious behavior into an agent that legitimate users continue to invoke, an attacker can maintain durable access through a trusted component. Creation of brand-new agents (CreateAgent) is intentionally excluded as lower-signal activity.

Rule type: new_terms

Rule indices:

  • logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: LLM
  • Data Source: AWS
  • Data Source: AWS CloudTrail
  • Data Source: Amazon Web Services
  • Data Source: Amazon Bedrock
  • Use Case: Threat Detection
  • Resources: Investigation Guide
  • Tactic: Persistence

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS Bedrock Agent or Action Group Manipulation

Amazon Bedrock agents orchestrate foundation models with developer-defined instructions and action groups that connect the agent to Lambda functions or APIs. Because end users and applications repeatedly invoke deployed agents, an attacker who modifies an existing agent’s instructions, action groups, collaborators, or alias can implant durable malicious behavior into a trusted component without deploying any new infrastructure. The PrepareAgent call makes a tampered configuration live, and updating an alias repoints traffic to the tampered version.

This rule identifies changes to existing Bedrock agents while intentionally excluding CreateAgent, which represents net-new resource creation rather than tampering with established, trusted agents.

Possible investigation steps

  • Identify the actor and context
  • Review aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, and aws.cloudtrail.user_identity.access_key_id to determine who made the change.
  • Inspect source.ip, user_agent.original, and aws.cloudtrail.user_identity.invoked_by to establish whether the change came from an interactive session, automation, or an unfamiliar location.
  • Confirm whether a corresponding change request or deployment exists for the affected agent.
  • Examine the change
  • Review aws.cloudtrail.request_parameters and aws.cloudtrail.flattened.request_parameters for the targeted agent ID, action group definition, Lambda ARN, collaborator, or alias routing configuration.
  • For UpdateAgent, inspect the modified instruction text for prompt-injection or data-exfiltration intent.
  • For action group changes, validate the referenced Lambda function or API schema ownership and intent.
  • For alias changes, confirm which agent version the alias now points to.
  • Correlate activity
  • Look for a PrepareAgent call following configuration changes, which indicates the tampered config was made live.
  • Search for surrounding IAM, Lambda, or STS activity from the same identity that could indicate broader compromise.

False positive analysis

  • Planned development and tuning: Legitimate developers regularly update agent instructions and action groups. Validate against change tickets and known engineering activity.
  • Automation: IaC pipelines and deployment tooling may call these APIs on every release. Exempt known automation roles if they cause recurring false positives.

Response and remediation

  • If the change is unauthorized, revert the agent, action group, collaborator, and alias to a known-good version and re-run PrepareAgent to restore trusted behavior.
  • Disable or rotate the credentials identified in aws.cloudtrail.user_identity.access_key_id if compromise is suspected.
  • Review the affected agent’s action group Lambda functions and APIs for malicious code or data flows.
  • Restrict bedrock:UpdateAgent, bedrock:*AgentActionGroup, bedrock:*AgentCollaborator, bedrock:*AgentAlias, and bedrock:PrepareAgent permissions to a small set of administrative roles.

Rule query

edit
data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: (
        "UpdateAgent" or
        "CreateAgentActionGroup" or
        "UpdateAgentActionGroup" or
        "AssociateAgentCollaborator" or
        "UpdateAgentCollaborator" or
        "CreateAgentAlias" or
        "UpdateAgentAlias" or
        "PrepareAgent"
    ) and
    event.outcome: "success"

Framework: MITRE ATT&CKTM

« AWS Bedrock Agent Created by IAM User or Root AWS Bedrock Unauthorized Foundation Model Access Attempt »