Detects deletion, weakening, or version management of AWS Bedrock guardrails by monitoring CloudTrail for control-plane API calls to bedrock.amazonaws.com: DeleteGuardrail, UpdateGuardrail, DeleteEnforcedGuardrailConfiguration, and PutEnforcedGuardrailConfiguration. These Bedrock guardrails enforce content, topic, word, and sensitive-information policies on model invocations. Tampering with guardrails or their organization-enforced configuration can enable policy bypass, analogous to disabling a security tool. The rule flags successful API executions, exposing actor identity (AWS user_identity fields), source IP, user agent, and the underlying request/response parameters to reveal which guardrail or configuration was altered and how policies were changed. Investigators can validate against change-management, correlate with related Bedrock InvokeModel or ConverSe activity, and verify prior actions (e.g., ListGuardrails, GetGuardrail) to establish abnormality. The rule maps to MITRE ATT&CK T1562.001 (Disable or Modify Tools) under Defense Evasion. Relevant investigation fields include timestamp, user identity, source IP, and API parameters. False positives may occur when legitimate guardrail tuning, iteration, or decommissioning occurs as part of normal development; such identities can be exempted per policy. Remediation guidance includes restoring guardrails and enforcing configuration to approved state, revoking compromised credentials, and restricting the guardrail-related permissions to a narrow admin set via IAM SCPs or Config controls.