This detection rule identifies a high number of AccessDenied attempts to list AWS Bedrock foundation models by monitoring AWS CloudTrail logs. The rule specifically looks for multiple failures when users or services call the ListFoundationModels API, signaling potential reconnaissance activities by adversaries who may have compromised credentials with limited permissions. Repeated AccessDenied error codes can imply brute-force attempts to enumerate accessible AI resources or reveal misconfigured access controls. If validated as a malicious act, this behavior suggests that adversaries are engaging in early-stage reconnaissance efforts, possibly before attempting to access or manipulate Bedrock models or underlying knowledge bases.