Unit 42 reveals "Agent God Mode" in Amazon Bedrock AgentCore. Broad IAM permissions lead to privilege escalation and data exfiltration risks.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 researchers discovered a critical security vulnerability in the Amazon Bedrock AgentCore starter toolkit, dubbed 'Agent God Mode.' The toolkit's auto-create logic generates IAM roles with wildcard permissions across the entire AWS account rather than scoping them to individual resources, violating the principle of least privilege. A compromised agent can exploit these permissions to: pull any ECR container image (exposing source code and proprietary algorithms), read or poison other agents' memory stores, invoke any other agent runtime, and escalate privileges by targeting high-privilege Code Interpreters. The attack chain is fully demonstrated: exfiltrate an ECR image, extract the target's MemoryID from embedded config files, then hijack that agent's conversation history. AWS has since updated documentation to warn that default roles are for development/testing only and should never be used in production. The recommended mitigation is creating custom least-privilege IAM roles for all production agents.

Cracks in the Bedrock: Agent God Mode