Detects creation, modification, or deletion of AWS Bedrock Provisioned Model Throughput by monitoring CloudTrail events for bedrock.amazonaws.com with actions CreateProvisionedModelThroughput, UpdateProvisionedModelThroughput, and DeleteProvisionedModelThroughput. Provisioned Throughput reserves dedicated, billed capacity for Bedrock foundation models; abuse can lead to large, unauthorized cloud spend (cost hijacking) or denial of service by removing required capacity. The rule flags successful control-plane changes to Bedrock throughput, enabling responders to verify authorization and whether a corresponding change-request or capacity-planning ticket exists. The accompanying investigation guidance covers actor identity, change-context validation, and correlation with other Bedrock activities and IAM/STs usage. It also notes false positives from legitimate capacity-planning, automation pipelines, or IaC changes and suggests handling through approvals, tickets, and restricted access. Remediation guidance includes revoking offending credentials, restoring or recreating throughput as needed for production, reviewing billing, rotating credentials if compromise is suspected, and enforcing tighter access controls and approval workflows for throughput-related API calls.