Cross-Tenant Data Access in AWS Bedrock via Manipulated Knowledge Base Queries
Overview
A critical vulnerability was identified in the AWS Bedrock 'Knowledge Bases' feature, which enables customers to perform Retrieval-Augmented Generation (RAG) over their private documents in Amazon S3. Researchers discovered that the service-side API endpoint responsible for translating natural language queries into queries for the underlying vector database (Amazon OpenSearch Serverless) was vulnerable to parameter injection. By crafting a malicious and highly structured JSON payload in their query, an attacker could inject control characters and additional query logic. This injection confused the backend parser, causing it to ignore or bypass the tenant-specific filters that enforce data isolation. An authenticated but low-privilege attacker in one AWS account could therefore construct a query to retrieve document chunks and metadata from the Knowledge Bases belonging to other AWS customers hosted on the same shared infrastructure. The exploit effectively broke the multi-tenant security model, a fundamental promise of cloud services. The impact was deemed critical as it allowed for the direct exfiltration of potentially highly sensitive, private data that customers had entrusted to the managed AI service. The vulnerability was responsibly disclosed to AWS by a cloud security research firm.
Affected Systems
Testing Guide
1. As this was a service-side vulnerability that has been patched by AWS, it is no longer possible for customers to test for it directly. 2. To verify your security posture, you can review your IAM policies for Bedrock to ensure they follow the principle of least privilege. 3. Check your Bedrock Knowledge Base configurations to confirm if they are using VPC endpoints for private connectivity where appropriate.
Mitigation Steps
1. **No Customer Action Required (Post-Patch):** AWS patched this vulnerability on the service side, so no direct action is needed for customers. The fix was applied transparently. 2. **Use VPC Endpoints:** For enhanced security, configure Knowledge Bases to be accessible only from within your Virtual Private Cloud (VPC) using VPC endpoints. This limits exposure to the public internet. 3. **Least-Privilege IAM:** Ensure that IAM roles and users that have access to Bedrock have the minimum necessary permissions. Do not grant broad `bedrock:*` permissions. 4. **Monitor CloudTrail Logs:** Regularly review AWS CloudTrail logs for Bedrock API calls, looking for unusual or malformed queries that could indicate an attempted exploit.
Patch Details
AWS deployed a server-side patch in early February 2026 that implemented stricter input validation and parameterization for all Knowledge Base queries, preventing the injection.