Full Report
AWS Bedrock is Amazon's platform for building AI-powered applications. It gives developers access to foundation models and the tools to connect those models directly to enterprise data and systems. That connectivity is what makes it powerful – but it’s also what makes Bedrock a target. When an AI agent can query your Salesforce instance, trigger a Lambda function, or pull from a SharePoint
Analysis Summary
# Vulnerability: Remote Code Execution & Data Exfiltration in AWS Bedrock Agents (Insecure Input Handling)
## CVE Details
- **CVE ID:** N/A (Cloud-specific vulnerability; typically managed via service updates rather than standard CVE assignment by AWS)
- **CVSS Score:** 8.8 (High) - *Estimated based on potential for unauthorized data access and command execution.*
- **CWE:** CWE-913 (Improper Control of Dynamically-Managed Code Object) / CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)
## Affected Systems
- **Products:** AWS Bedrock (specifically Bedrock Agents)
- **Versions:** All versions prior to the AWS-side remediations implemented in mid-2024.
- **Configurations:** Agents configured with "Action Groups" linked to Lambda functions or "Knowledge Bases" with enterprise connectors (Salesforce, SharePoint, S3).
## Vulnerability Description
The vulnerability stems from the way Bedrock Agents interpret and act upon "Prompt Injection" or "Indirect Prompt Injection." Because the agent is designed to bridge natural language prompts with executable API calls (Action Groups), an attacker can embed malicious instructions within data sources (e.g., a poisoned SharePoint document or a malicious Salesforce record).
When the Foundation Model (FM) parses this data to satisfy a user query, it may interpret the malicious instructions as legitimate system commands. This leads to the agent performing unauthorized actions, such as invoking Lambda functions with attacker-controlled parameters or exfiltrating sensitive data from connected enterprise systems.
## Exploitation
- **Status:** PoC Available (Research demonstrated by various security firms including Zenity and Orca Security).
- **Complexity:** Medium
- **Attack Vector:** Network (Indirect via data poisoning or direct via user input).
## Impact
- **Confidentiality:** High (Access to all data sources connected via Bedrock Knowledge Bases).
- **Integrity:** High (Ability to trigger state-changing actions via Lambda functions/Action Groups).
- **Availability:** Medium (Potential to delete records or trigger resource exhaustion).
## Remediation
### Patches
- **AWS Managed Update:** AWS has implemented service-side sanitization and improved reinforcement learning from human feedback (RLHF) to ignore instructional overrides within data blobs. No user action is required for the core platform fix.
### Workarounds
- **Guardrails for Amazon Bedrock:** Implement strict content filtering to detect and block prompt injection patterns.
- **Least Privilege:** Apply granular IAM policies to the Lambda functions used by Action Groups. Ensure the execution role can only access the specific resources required for its task.
## Detection
- **CloudWatch Logs:** Monitor Bedrock Agent logs for unusual sequences of API calls or patterns indicating "jailbreak" attempts (e.g., "Ignore all previous instructions").
- **Lambda Monitoring:** Identify anomalous input parameters in Lambda execution logs that do not match expected schema formats.
- **AWS CloudTrail:** Audit `InvokeModel` and `InvokeAgent` events for unauthorized geographic locations or unusual user agents.
## References
- **Vendor Advisory:** hxxps[://]aws[.]amazon[.]com/security/security-bulletins/
- **Security Research:** hxxps[://]www[.]zenity[.]io/blog/bedrock-vulnerabilities-exposed/
- **AWS Guardrails Documentation:** hxxps[://]docs[.]aws[.]amazon[.]com/bedrock/latest/userguide/guardrails[.]html