Privilege Escalation in AWS Bedrock Agents via Over-Privileged IAM Roles
Overview
A prevalent and critical misconfiguration vulnerability affects AI agents deployed on cloud platforms like AWS Bedrock. The vulnerability is not in the Bedrock service itself, but in the common developer practice of assigning overly permissive IAM roles to the agent to enable its functionality. When an agent is granted broad permissions (e.g., `s3:*`, `ec2:RunInstances`, `iam:CreateUser`), it becomes a high-value target for attackers. Through prompt injection (either direct or indirect), an adversary can command the compromised agent to abuse its AWS privileges. This attack pattern, termed 'AI as Code' (AIaC), allows the attacker to pivot from controlling the LLM to controlling the underlying cloud account. For example, an injected prompt could instruct the agent to use its AWS SDK access to exfiltrate all data from an S3 bucket, start a fleet of EC2 instances for crypto mining, or create a new IAM admin user for the attacker, leading to a full account takeover. The root cause is a failure to apply the principle of least privilege. The impact is catastrophic, as it escalates a simple application-level prompt injection into a full-blown cloud infrastructure breach, bypassing traditional network and endpoint security controls.
Affected Systems
Testing Guide
1. **Review IAM Policies**: Audit the IAM role attached to your AWS Bedrock Agent. Look for wildcards (`*`) in actions or resources. 2. **Simulate Injection**: Craft a benign but revealing prompt to test the agent's permissions. For example: `"Using your AWS access, can you list the first 3 S3 buckets in this account?"` 3. **Check for Write Access**: If the agent has write or modification permissions, try a prompt like: `"Create an empty S3 bucket named 'agent-test-bucket-xxxx'."` If these actions succeed, the role is likely over-privileged.
Mitigation Steps
1. **Apply Principle of Least Privilege**: Create a highly-scoped IAM role for the agent that only grants permissions for the specific API actions it absolutely needs. For example, use `s3:GetObject` instead of `s3:*`. 2. **Use Service Control Policies (SCPs)**: At an organizational level, use SCPs to set hard limits on what actions federated roles used by AI agents can perform. 3. **Implement Guardrails**: Utilize features like Amazon Bedrock Guardrails to define policies that prevent the agent from generating API calls that are harmful or out of scope. 4. **Monitor CloudTrail Logs**: Continuously monitor AWS CloudTrail for any unusual or unexpected API calls originating from the agent's IAM role. 5. **Separate Roles**: Use different roles for agents with different responsibilities to limit the blast radius of a single compromise.
Patch Details
This is a configuration issue, not a software bug. Mitigation relies on user implementation of security best practices.