« AWS Bedrock Guardrail Deleted or Weakened AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key »
Elastic Docs Elastic Security [8.19] Downloadable rule update v8.19.26

AWS Bedrock Model Invocation Logging Disabled or Modified

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Bedrock Model Invocation Logging Disabled or Modified

edit

Detects when an AWS Bedrock model invocation logging configuration is deleted or overwritten via the DeleteModelInvocationLoggingConfiguration or PutModelInvocationLoggingConfiguration API calls. Model invocation logging is the source that feeds the logs-aws_bedrock.invocation-* dataset relied upon by all data-plane Bedrock detections. An adversary who has gained access to a Bedrock environment can blind defenders by deleting this configuration, or by using the Put API to redirect logs to an attacker-controlled or non-monitored S3 bucket or CloudWatch log group. Because this single control-plane action can neutralize the entire data-plane detection stack, it is a high-value evasion technique that should be validated against expected administrative change activity.

Rule type: query

Rule indices:

  • logs-aws.cloudtrail-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: LLM
  • Data Source: AWS
  • Data Source: AWS CloudTrail
  • Data Source: Amazon Web Services
  • Data Source: Amazon Bedrock
  • Use Case: Log Auditing
  • Use Case: Threat Detection
  • Resources: Investigation Guide
  • Tactic: Defense Evasion

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS Bedrock Model Invocation Logging Disabled or Modified

AWS Bedrock model invocation logging captures the prompts and responses processed by foundation models and delivers them to an S3 bucket or CloudWatch log group. This data feeds the logs-aws_bedrock.invocation-* dataset that all data-plane Bedrock detections depend on. Deleting the configuration stops this telemetry entirely, while overwriting it with Put can silently redirect logs to a destination the defender does not monitor. Either action effectively blinds the data-plane detection stack, making this a high-priority defense-evasion event.

Possible investigation steps

  • Identify the actor and context
  • Review aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.access_key_id, user_agent.original, and source.ip.
  • Determine whether the identity is an approved Bedrock administrator and whether a change request exists.
  • Determine the exact action
  • For DeleteModelInvocationLoggingConfiguration, logging is being turned off entirely — confirm this is intentional.
  • For PutModelInvocationLoggingConfiguration, inspect aws.cloudtrail.flattened.request_parameters for the new s3Config bucket name / key prefix and cloudWatchConfig log group, and verify they are owned and monitored by your org.
  • Correlate surrounding activity
  • Pivot on the same identity, source.ip, and cloud.account.id for prior enumeration (GetModelInvocationLoggingConfiguration) or follow-on Bedrock data-plane activity (model invocations) that would now be unlogged.
  • Check for parallel logging-tampering against CloudTrail, Config, or GuardDuty.

False positive analysis

  • Planned changes: Logging migrations or compliance updates may legitimately reconfigure or remove the configuration. Validate against change tickets and infrastructure-as-code pipelines.

Response and remediation

  • If unauthorized, restore model invocation logging to the approved destination and verify log delivery resumes into logs-aws_bedrock.invocation-*.
  • Review and secure any attacker-specified S3 bucket or CloudWatch log group, and treat data sent there as exposed.
  • Audit the actor’s recent Bedrock and IAM activity and rotate credentials if compromise is suspected.
  • Restrict bedrock:DeleteModelInvocationLoggingConfiguration and bedrock:PutModelInvocationLoggingConfiguration to a small set of administrative roles and alert on changes.

Rule query

edit
data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: ("DeleteModelInvocationLoggingConfiguration" or "PutModelInvocationLoggingConfiguration") and
    event.outcome: "success"

Framework: MITRE ATT&CKTM

« AWS Bedrock Guardrail Deleted or Weakened AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key »