AWS Bedrock Knowledge Base or RAG Data Source Tampering

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Bedrock Knowledge Base or RAG Data Source Tampering

Detects control-plane mutations to AWS Bedrock knowledge bases and their backing RAG data sources via CloudTrail. An adversary with access to Bedrock Agent APIs can poison the corpus that RAG-enabled models treat as authoritative by ingesting attacker-controlled documents (IngestKnowledgeBaseDocuments, StartIngestionJob), deleting legitimate documents (DeleteKnowledgeBaseDocuments), or repointing/altering the data source itself (CreateDataSource, UpdateDataSource, DeleteDataSource, UpdateKnowledgeBase). Because downstream applications and users trust model answers grounded in this stored data, tampering with the corpus is a stored data manipulation that can drive misinformation, fraud, or manipulated decisions at inference time. This is a New Terms rule that looks for the first time a given identity ARN performs one of these knowledge base or data source mutations within the history window.

Rule type: new_terms

Rule indices:

logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/bedrock/latest/APIReference/API_Operations_Agents_for_Amazon_Bedrock.html

Tags:

Domain: Cloud
Domain: LLM
Data Source: AWS
Data Source: AWS CloudTrail
Data Source: Amazon Web Services
Data Source: Amazon Bedrock
Use Case: Threat Detection
Resources: Investigation Guide
Tactic: Impact

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS Bedrock Knowledge Base or RAG Data Source Tampering

AWS Bedrock knowledge bases provide Retrieval-Augmented Generation (RAG) by grounding model responses in a stored corpus that is synchronized from a configured data source. Because RAG-enabled applications present these grounded answers as authoritative, an adversary who can ingest, delete, or repoint the underlying corpus can poison the answers returned to downstream users and systems. This rule detects control-plane changes to knowledge bases and data sources that could enable such corpus poisoning.

Possible investigation steps

Identify the actor and context
Review aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, and aws.cloudtrail.user_identity.access_key_id.
Examine source.ip, user_agent.original, and aws.cloudtrail.user_identity.invoked_by to determine whether the change came from an approved operator, automation, or an unexpected origin.
Confirm a related change request exists (content update, data source migration, scheduled ingestion).
Validate the specific action
Inspect event.action and aws.cloudtrail.flattened.request_parameters to identify the knowledge base, data source, and any S3 bucket / ingestion configuration referenced.
For CreateDataSource / UpdateDataSource, verify the data source location (e.g., S3 bucket) is org-owned and not attacker-controlled.
For IngestKnowledgeBaseDocuments / StartIngestionJob, review what content was ingested and from where.
For DeleteKnowledgeBaseDocuments / DeleteDataSource, determine whether legitimate content was removed.
Correlate activity
Look for prior enumeration of Bedrock resources or anomalous IAM/STS activity from the same identity.
Review cloud.account.id and cloud.region to confirm the change occurred where expected.

False positive analysis

Planned content maintenance: Routine ingestion, document updates, and re-syncs by data teams or MLOps automation are expected. Validate against change tickets and known automation roles.
Infrastructure-as-code: Pipelines may create or update data sources during deployments. Confirm the source IP and ARN match expected automation.

Response and remediation

If unauthorized, suspend or disable the implicated knowledge base and data source to prevent further poisoned retrieval, and revert the corpus to a known-good state.
Disable or rotate the credentials identified in aws.cloudtrail.user_identity.access_key_id if compromise is suspected.
Audit recent ingestion jobs and document changes, and validate the integrity of the data source location.
Restrict Bedrock Agent knowledge base and data source mutation permissions to a small set of trusted roles.

Setup

edit

Setup

This rule requires the AWS CloudTrail integration. The data source and knowledge base configuration actions are management events (captured by default), but the direct document operations (IngestKnowledgeBaseDocuments, DeleteKnowledgeBaseDocuments) are Bedrock CloudTrail data events that are off by default. Without Bedrock data-event logging enabled on the trail, this rule provides only partial coverage — it will see config changes but not direct document ingestion/deletion, the primary poisoning vector. Enable Bedrock data-event logging for full coverage.

Rule query

edit

data_stream.dataset: "aws.cloudtrail" and
    event.provider: "bedrock.amazonaws.com" and
    event.action: (
        "IngestKnowledgeBaseDocuments" or
        "DeleteKnowledgeBaseDocuments" or
        "UpdateKnowledgeBase" or
        "CreateDataSource" or
        "UpdateDataSource" or
        "DeleteDataSource" or
        "StartIngestionJob" or
        "DeleteKnowledgeBase"
    ) and
    event.outcome: "success"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Data Manipulation
- ID: T1565
- Reference URL: https://attack.mitre.org/techniques/T1565/
Sub-technique:
- Name: Stored Data Manipulation
- ID: T1565.001
- Reference URL: https://attack.mitre.org/techniques/T1565/001/

« AWS Bedrock High-Frequency Single-Model Inference API Probing AWS Bedrock Provisioned Model Throughput Tampering »