Cross-Tenant Data Leakage in AWS Bedrock Custom Model Import
Overview
A high-severity vulnerability was identified in the AWS Bedrock service that allowed for cross-tenant data access. The flaw was located in the custom model import feature, where users can import their own fine-tuned models for serving. The backend process responsible for validating and provisioning the imported model had a race condition flaw. An attacker in one AWS account could craft a model import request with a specially formatted S3 URI pointing to a model in their own bucket. By submitting this request at the same time as a legitimate import was being processed by a victim in another account, the attacker could trick the provisioning service. Due to improper state management during the parallel processing, the service would sometimes map the attacker's model endpoint to the victim's provisioned infrastructure, but crucially, with the data access roles of the victim's account. The attacker could then query their own model endpoint and, in some cases, receive responses generated from the victim's underlying model or even trigger errors that leaked metadata about the victim's private model data stored in their S3 buckets. This allowed for inference-based exfiltration of proprietary model intelligence and data.
Affected Systems
Testing Guide
This vulnerability was patched by AWS on the service backend. It is no longer possible to test for or exploit this issue. Customers can verify the patch by confirming they did not receive a security notification from AWS regarding potential exposure for their account.
Mitigation Steps
1. This was a server-side vulnerability and was patched by AWS for all customers. No user action is required for mitigation. 2. Review CloudTrail logs for any suspicious `Bedrock:ImportModel` or `Bedrock:ProvisionModelThroughput` API calls originating from unknown principals around the vulnerability window. 3. Implement strict, resource-based S3 bucket policies for model data, allowing access only from specific, expected VPC endpoints or Bedrock service roles to limit the impact of similar future vulnerabilities. 4. Enable AWS GuardDuty, which has been updated with new detection rules for anomalous Bedrock API activity.
Patch Details
AWS patched the backend infrastructure on 2025-11-20. The patch involved strengthening isolation and introducing atomic locking during the model provisioning workflow.