Skip to content
.ca
sign in
4 minhigh

Cracks in the Bedrock: Agent God Mode

The AWS Bedrock AgentCore starter toolkit automatically provisions overly permissive IAM roles that grant wildcard access across the AWS account. This "Agent God Mode" misconfiguration allows a compromised AI agent to exfiltrate ECR images, access other agents' memories, and escalate privileges by invoking other code interpreters or agents.

Conf:highAnalyzed:2026-04-09reports

Authors: Unit 42

Privilege EscalationAWSIAMCloud SecurityBedrock AgentCore

Source:Palo Alto Networks

IOCs · 1
  • filename
    /app/logs/cmd/env-output.txtStatic configuration file within the AgentCore container image that leaks the target agent's MemoryID, enabling cross-agent memory access.

Key Takeaways

  • The AWS Bedrock AgentCore starter toolkit's auto-create feature generates overly permissive IAM roles with wildcard (*) access.
  • Compromised agents can exploit wildcard memory permissions to read or poison the memory state of any other AI agent in the AWS account.
  • Wildcard ECR permissions allow attackers to exfiltrate proprietary container images and extract sensitive configuration data, such as MemoryIDs.
  • Attackers can invoke any Code Interpreter or Agent Runtime in the account, leading to lateral movement and indirect privilege escalation.
  • AWS has updated documentation to explicitly warn that these default roles are for dev/test only and should not be used in production.

Affected Systems

  • AWS Bedrock AgentCore
  • Amazon Elastic Container Registry (ECR)
  • AWS Identity and Access Management (IAM)

Attack Chain

An attacker first compromises an initial AI agent within the AWS environment. Leveraging the overly permissive default IAM role attached to the agent, the attacker requests an ECR authorization token and authenticates to the container registry. They then pull the Docker image of a high-value target agent and extract its unique MemoryID from static configuration files (e.g., env-output.txt). Finally, using the extracted MemoryID and wildcard memory permissions, the attacker accesses or poisons the target agent's memory and can invoke other agents or code interpreters to escalate privileges.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but highlights the need to monitor AWS CloudTrail for anomalous Bedrock and ECR API calls originating from agent execution roles.

Detection Engineering Assessment

EDR Visibility: None — The attack occurs entirely within the AWS control plane (IAM, Bedrock, ECR) and does not involve traditional endpoint execution. Network Visibility: Low — API calls are encrypted via TLS to AWS endpoints; visibility relies on cloud provider logs rather than network packet inspection. Detection Difficulty: Moderate — Detecting this requires baselining normal agent behavior and identifying anomalous cross-agent API calls or unexpected ECR image pulls by agent execution roles.

Required Log Sources

  • AWS CloudTrail
  • AWS IAM Access Analyzer

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
An AI agent execution role is pulling ECR images that do not belong to its specific deployment.AWS CloudTrail (ecr:BatchGetImage)ExfiltrationLow
An agent role is invoking the GetMemory or RetrieveMemoryRecords API for a MemoryID not associated with its own session.AWS CloudTrail (bedrock-agentcore:GetMemory, bedrock-agentcore:RetrieveMemoryRecords)CollectionLow
An agent role is invoking other agents or code interpreters unexpectedly.AWS CloudTrail (bedrock-agentcore:InvokeAgentRuntime, bedrock-agentcore:InvokeCodeInterpreter)Privilege EscalationMedium

Control Gaps

  • Lack of least privilege in default IAM roles generated by the starter toolkit
  • Absence of resource-level scoping for Bedrock memory and ECR repositories

Key Behavioral Indicators

  • Agent roles executing ecr:GetAuthorizationToken
  • Agent roles accessing wildcard resources (*) in Bedrock API calls

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Review all IAM roles created by the Bedrock AgentCore starter toolkit in the AWS account.
  • Replace wildcard (*) resource permissions with specific ARNs for memory, ECR, and code interpreters.

Infrastructure Hardening

  • Implement custom, least-privilege IAM roles for all production AI agents.
  • Enforce resource-level boundaries to prevent cross-agent invocation and data access.

User Protection

  • N/A

Security Awareness

  • Educate development and cloud engineering teams on the risks of using auto-created, default IAM roles in production cloud environments.

MITRE ATT&CK Mapping

  • T1078.004 - Valid Accounts: Cloud Accounts
  • T1528 - Steal Application Access Token
  • T1552.001 - Credentials In Files
  • T1068 - Exploitation for Privilege Escalation
  • T1530 - Data from Cloud Storage Object

Additional IOCs

  • Command Lines:
    • Purpose: Retrieve ECR authorization token to access container registries | Tools: boto3, aws cli | Stage: Credential Access | ecr.get_authorization_token()
    • Purpose: Authenticate to the AWS ECR registry | Tools: docker | Stage: Credential Access | docker login https://
    • Purpose: Download the target agent's container image for static analysis and credential extraction | Tools: docker | Stage: Exfiltration | docker pull

Related