Detects when an Amazon Bedrock agent is associated with, or updated to use, a knowledge base via the AssociateAgentKnowledgeBase or UpdateAgentKnowledgeBase API actions. Bedrock agents retrieve content from knowledge bases as trusted context for Retrieval-Augmented Generation (RAG). If an agent is wired to an externally controlled or attacker-supplied knowledge base, the agent’s trust boundary can be redirected toward untrusted content, enabling a software supply-chain compromise and an indirect prompt-injection vector. The rule analyzes CloudTrail logs to identify successful AssociateAgentKnowledgeBase and UpdateAgentKnowledgeBase calls, capturing actor identity, source IP, user agent, agentId, and knowledgeBaseId. It flags associations that reference external or organization-unknown knowledge bases, triggering an alert for investigation and potential remediation. False positives can arise from legitimate development, onboarding, or CI/CD changes to knowledge bases; verification should confirm the actor identity, authorized workflow, and ownership of the knowledge base and its data sources. The detection maps to MITRE ATT&CK as Server Software Component (T1505) under Persistence (TA0003). It includes triage guidance, investigation steps (actor/context review, association validation, blast radius, and correlation with related Bedrock activity), and remediation steps (dissociate unauthorized knowledge bases, review data sources, quarantine suspect content, rotate credentials, and tighten permissions on relevant Bedrock actions). References to AWS Bedrock documentation are provided for context.