Full Report
Unit 42 reveals "Agent God Mode" in Amazon Bedrock AgentCore. Broad IAM permissions lead to privilege escalation and data exfiltration risks. The post Cracks in the Bedrock: Agent God Mode appeared first on Unit 42.
Analysis Summary
# Vulnerability: Amazon Bedrock AgentCore Privilege Escalation ("Agent God Mode")
## CVE Details
- **CVE ID:** N/A (Cloud-specific vulnerability; AWS does not typically issue CVEs for managed service backend flaws patched by the provider).
- **CVSS Score:** High (Unit 42 assessment implies significant risk due to full service-role takeover).
- **CWE:** CWE-269: Improper Privilege Management.
## Affected Systems
- **Products:** Amazon Bedrock (specifically the **AgentCore** component).
- **Versions:** Management Console and API underlying Bedrock Agents prior to the patch date.
- **Configurations:** Systems utilizing Amazon Bedrock Agents where the service role granted to the agent possessed broad IAM permissions (e.g., `AdministratorAccess` or excessive S3/Lambda permissions).
## Vulnerability Description
The vulnerability, dubbed **"Agent God Mode,"** stems from a flaw in how Bedrock AgentCore handled executive commands and instructions. While developers define specific "Action Groups" for an agent, researchers discovered that the underlying AgentCore component could be manipulated through prompt injection or malicious instructions to bypass these boundaries.
Because the agent operates using an assigned **IAM Service Role**, any flaw that allows an attacker to control the agent's logic effectively grants the attacker the full permissions of that IAM role. If the role was over-privileged, the attacker could execute unintended API calls across the AWS environment, such as exfiltrating data from S3 buckets or modifying Lambda functions.
## Exploitation
- **Status:** PoC developed by Unit 42; patched by AWS. No evidence of exploitation in the wild reported prior to the fix.
- **Complexity:** Low (Requires only natural language manipulation/prompt injection).
- **Attack Vector:** Network (Remote interaction with the AI Agent).
## Impact
- **Confidentiality:** High (Potential access to all data accessible by the Agent's IAM role).
- **Integrity:** High (Potential to modify resources or delete data via IAM permissions).
- **Availability:** Medium to High (Potential to disrupt services by deleting or altering infrastructure).
## Remediation
### Patches
- **AWS Managed Fix:** Amazon Web Services (AWS) has implemented a backend patch for Bedrock AgentCore to restrict unauthorized command execution and improve instruction boundary enforcement. No user action is required for the core fix.
### Workarounds
- **Least Privilege:** Ensure IAM roles assigned to Bedrock Agents follow the principle of least privilege. Do not use managed policies like `AdministratorAccess`.
- **Resource Tags:** Use Identity-Based Policy conditions to restrict the agent to specific resources (e.g., specific S3 buckets rather than `*`).
- **Guardrails:** Implement Amazon Bedrock Guardrails to filter malicious prompts and PII exfiltration attempts.
## Detection
- **CloudTrail Monitoring:** Monitor AWS CloudTrail for unusual API calls originating from the Bedrock Agent service principal (`bedrock.amazonaws.com`).
- **Identify Anomalies:** Look for "Action Group" execution patterns that do not align with the agent's intended business logic (e.g., an agent designed for HR queries suddenly listing all S3 buckets).
- **CloudWatch Logs:** Review Bedrock Agent invocation logs for suspicious prompt patterns or system-level overrides.
## References
- **Unit 42 Original Research:** hxxps[://]unit42[.]paloaltonetworks[.]com/amazon-bedrock-agentcore-vulnerability/
- **AWS Security Bulletins:** hxxps[://]aws[.]amazon[.]com/security/security-bulletins/
- **Defanged Unit 42 Link:** hxxps[://]unit42[.]paloaltonetworks[.]com/cracks-in-the-bedrock-agent-god-mode/