Detects failed, access-denied attempts to modify or delete resource-based policies on AWS Bedrock resources via PutResourcePolicy and DeleteResourcePolicy API calls. The rule analyzes AWS CloudTrail logs for bedrock.amazonaws.com events where the action is PutResourcePolicy or DeleteResourcePolicy, the outcome is failure, and the error code is AccessDenied or AccessDeniedException. This surfaces boundary-testing behavior by under-privileged or potentially compromised identities attempting to grant external or cross-account access, or to weaken existing access controls, even when no change ultimately occurs. It complements a companion rule that detects successful policy changes. Administrators can use the signal to investigate actor context (ARN, identity type, access key, user agent, source IP), review the denied reason, and correlate repeated denials across Bedrock/IAM APIs to identify enumeration or escalation attempts. False positives may arise from transient permission gaps in new roles or pipelines, or non-production testing. Remediation guidance includes enforcing least-privilege on bedrock:PutResourcePolicy and bedrock:DeleteResourcePolicy, rotating credentials if suspicious, and auditing related Bedrock/IAM activity within the surrounding window.