Unit 42 research on multi-agent AI systems on Amazon Bedrock reveals new attack surfaces and prompt injection risks. Learn how to secure your AI applications.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 researchers red-teamed Amazon Bedrock's multi-agent collaboration feature, demonstrating a four-stage attack chain: detecting operating mode (Supervisor vs. Supervisor with Routing), discovering collaborator agents, delivering attacker-controlled payloads, and exploiting target agents. Successful attacks included extracting agent instructions, leaking tool schemas, and invoking tools with malicious inputs. No vulnerabilities were found in Bedrock itself — the attacks exploit the fundamental LLM challenge of distinguishing developer instructions from adversarial input. Enabling Bedrock's built-in prompt attack Guardrails and pre-processing prompts effectively blocks all demonstrated attacks. Recommended defenses include narrow agent capability scoping, tool input sanitization, vulnerability scanning, and least-privilege permissions.

When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications

Introduction to Bedrock Agents Multi-Agent Collaboration