This rule monitors AWS Bedrock to detect instances where multiple policy violations occur within a single request that results in a blocked action. The detection is vital as repeated violations may indicate intentional attempts to bypass security measures, seek unauthorized access to sensitive information, or exploit vulnerabilities. It evaluates requests made to the AWS Bedrock service, specifically focusing on actions that are flagged as "BLOCKED" due to policy violations conducted by the users. The rule counts how many separate policies were violated in a single request, and if this count exceeds one, it marks the instance for alerting, given the heightened risk of malicious intent. Investigative directives emphasize understanding the user's activity before and after the flagged request to determine the legitimacy of the action, checking for signs of compromise, and the possible need for incident response procedures based on the severity and context of the detected incidents. The implementation of the rule necessitates that guardrails be configured on AWS Bedrock, ensuring that monitoring effectively aligns with the defined safety and compliance measures.