This rule detects modification or deletion of AWS Bedrock resource-based policies by monitoring successful PutResourcePolicy and DeleteResourcePolicy calls in CloudTrail (logs-aws.cloudtrail-*). Bedrock resource-based policies govern which principals (including external accounts) may access resources such as agents, knowledge bases, and custom models. An attacker could attach a policy granting external or unexpected access to enable persistence or cross-account access, or delete an existing policy to weaken access controls. The detection focuses on Bedrock control-plane actions and analyzes policy documents and target ARNs from the request parameters, looking for external Principals, wildcard entries, or unfamiliar roles. Investigation emphasizes actor identity, policy content, and correlation with other Bedrock actions, as well as prior related IAM/resource-policy changes. The rule maps to MITRE ATT&CK: Account Manipulation (T1098) under the Persistence tactic (TA0003). Investigation context fields include user identity ARNs, user type, access keys, user agents, and source IP, along with CloudTrail request_parameters and response elements. Possible investigation steps include validating the actor, confirming change requests, inspecting policy documents for suspicious Principals, and correlating with related Bedrock activity. False positives can arise from legitimate admin changes, IaC pipelines, or automation during onboarding or policy sharing; such cases should be verified against change tickets and known automation. Remediation guidance recommends reverting unauthorized policy changes, removing external or overly permissive principals, rotating credentials if needed, and enforcing least-privilege on PutResourcePolicy/DeleteResourcePolicy actions. Overall, this rule enables rapid detection and triage of unauthorized modifications to Bedrock resource access control, preventing unintended access and potential persistence.