AWS Bedrock Automated Reasoning Safety Policy Tampering

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Bedrock Automated Reasoning Safety Policy Tampering

Detects deletion or modification of AWS Bedrock Automated Reasoning policies via the DeleteAutomatedReasoningPolicy, UpdateAutomatedReasoningPolicy, or UpdateAutomatedReasoningPolicyAnnotations CloudTrail actions. Automated Reasoning policies are a Bedrock safety and validation control that constrains model outputs against formal rules. An adversary who deletes a policy or alters the policy definition or its annotations weakens an enforced output-validation defense, potentially allowing unsafe or non-compliant model responses to pass unchecked. Benign build, test-workflow, and test-case CRUD operations are intentionally excluded as they have no coherent abuse path.

Rule type: query

Rule indices:

logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/bedrock/latest/userguide/automated-reasoning.html

Tags:

Domain: Cloud
Domain: LLM
Data Source: AWS
Data Source: AWS CloudTrail
Data Source: Amazon Web Services
Data Source: Amazon Bedrock
Use Case: Threat Detection
Resources: Investigation Guide
Tactic: Defense Evasion

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS Bedrock Automated Reasoning Safety Policy Tampering

AWS Bedrock Automated Reasoning policies enforce formal, rule-based validation of model outputs, acting as a safety control that constrains what a model is permitted to return. Deleting a policy or modifying its definition or annotations directly weakens this control. Adversaries who have gained access to the Bedrock control plane may tamper with these policies to evade output-validation defenses, enabling unsafe, manipulated, or non-compliant model behavior. This detection identifies DeleteAutomatedReasoningPolicy, UpdateAutomatedReasoningPolicy, and UpdateAutomatedReasoningPolicyAnnotations calls so responders can confirm whether the change was authorized.

Possible investigation steps

Identify the actor and context
Review aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.access_key_id, source.ip, and user_agent.original.
Determine whether the identity normally administers Bedrock safety policies and whether the action aligns with an approved change request.
Review the specific action
For DeleteAutomatedReasoningPolicy, identify the deleted policy in aws.cloudtrail.flattened.request_parameters and confirm whether a replacement control exists.
For UpdateAutomatedReasoningPolicy / UpdateAutomatedReasoningPolicyAnnotations, inspect aws.cloudtrail.request_parameters and aws.cloudtrail.response_elements to understand what was changed and whether the change loosens validation constraints.
Correlate surrounding activity
Look for other Defense Evasion or Bedrock control-plane activity from the same identity in the surrounding window (model invocation changes, guardrail modifications, logging changes).
Check cloud.account.id and cloud.region to scope blast radius across the environment.

False positive analysis

Planned policy maintenance: Governance teams may legitimately tune or retire Automated Reasoning policies. Validate against change tickets and standard templates.
Automation: IaC or CI/CD pipelines may update policies during deployments. Confirm the actor maps to known automation infrastructure.

Response and remediation

If the change is unauthorized, restore the prior policy definition or recreate the deleted policy from a known-good configuration.
Revoke or rotate the credentials in aws.cloudtrail.user_identity.access_key_id if compromise is suspected.
Review all Bedrock control-plane activity from the same identity in the preceding window for further defense-impairing actions.
Restrict bedrock:DeleteAutomatedReasoningPolicy and bedrock:UpdateAutomatedReasoningPolicy* permissions to a small set of administrative roles and enforce approval workflows.

Rule query

edit

data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: (
        "DeleteAutomatedReasoningPolicy" or
        "UpdateAutomatedReasoningPolicy" or
        "UpdateAutomatedReasoningPolicyAnnotations"
    ) and event.outcome:success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/

« Appendix m: Downloadable rule update v8.19.26 AWS Bedrock Guardrail Deleted or Weakened »