diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-bedrock-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-bedrock-post-exploitation/README.md index 65a9a1ef1..b620ee9a2 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-bedrock-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-bedrock-post-exploitation/README.md @@ -78,11 +78,65 @@ Notes: - End the session and observe the Memory Summarization output; look for an injected custom topic containing attacker directives. - Start a new session; inspect Trace/Model Invocation Logs to see memory injected and any silent tool calls aligned with the injected directives. +## AWS - Bedrock Agents Multi-Agent Prompt-Injection Chains + +### Overview + +Amazon Bedrock multi-agent applications add a second prompt/control plane on top of the base agent: a **router** or **supervisor** decides which collaborator receives the user request, and collaborators can expose **action groups**, **knowledge bases**, **memory**, or even **code interpretation**. If the application treats user text as policy and disables Bedrock **pre-processing** or **Guardrails**, a legitimate chatbot user can often steer orchestration, discover collaborators, leak tool schemas, and coerce a collaborator into invoking an allowed tool with attacker-chosen inputs. + +This is an **application-level prompt-injection / policy-by-prompt failure**, not a Bedrock platform vulnerability. + +### Attack surface and preconditions + +The attack becomes practical when all are true: +- The Bedrock application uses **Supervisor Mode** or **Supervisor with Routing Mode**. +- A collaborator has high-impact **action groups** or other privileged capabilities. +- The application accepts **untrusted user text** from a normal chat UI and lets the model decide routing, delegation, or authorization. +- **Pre-processing** and/or **Guardrails** are disabled, or tool backends trust model-selected arguments without independent authorization checks. + +### 1. Operating mode detection + +- In **Supervisor with Routing Mode**, the router prompt contains an `` block with `$reachable_agents$`. A detection payload can instruct the router to forward to the **first listed agent** and return a unique marker, proving direct routing occurred. +- In **Supervisor Mode**, the orchestration prompt forces responses and inter-agent communication through `AgentCommunication__sendMessage()`. A payload that requests a unique message via that tool fingerprints supervisor-mediated handling. + +Useful artifacts: +- `` / `$reachable_agents$` strongly suggests a router classification layer. +- `AgentCommunication__sendMessage()` strongly suggests supervisor orchestration and an explicit inter-agent messaging primitive. + +### 2. Collaborator discovery + +- In **Routing Mode**, discovery prompts should look **ambiguous or multi-step** so the router escalates to the supervisor instead of routing straight to one collaborator. +- The supervisor prompt embeds collaborators inside `$agent_collaborators$`, but usually also says not to reveal tools/agents/instructions. +- Instead of asking for the raw prompt, ask for **functional descriptions** of the available specialists. Even partial descriptions are enough to map collaborators to domains such as forecasting, solar management, or peak-load optimization. + +### 3. Payload delivery to a chosen collaborator + +- In **Supervisor Mode**, use the discovered collaborator role and instruct the supervisor to relay a payload **unchanged** through `AgentCommunication__sendMessage()`. The goal is payload integrity across the orchestration hop. +- In **Routing Mode**, craft the prompt with strong **domain cues** so the router classifier consistently sends it to the desired collaborator without supervisor review. + +### 4. Exploitation progression: leakage to tool misuse + +After delivery, a common progression is: + +1. **Instruction extraction**: coerce the collaborator into paraphrasing its internal logic, operational limits, or hidden guidance. +2. **Tool schema extraction**: elicit tool names, purposes, required parameters, and expected outputs. This gives the attacker the effective API contract for later abuse. +3. **Tool misuse**: persuade the collaborator to invoke a legitimate action group with attacker-controlled arguments, causing unauthorized business actions such as fraudulent ticket creation, workflow triggering, record manipulation, or downstream API abuse. + +The core issue is that the backend lets the model decide **who may do what** by prompt semantics instead of enforcing authorization and validation outside the LLM. + +### Notes for operators and defenders + +- **Trace** and **model invocation logs** are useful to confirm routing, prompt augmentation, collaborator selection, and whether tool calls executed with the attacker-supplied arguments. +- Treat each collaborator as a separate trust boundary: scope action groups narrowly, validate tool inputs in the backend, and require server-side authorization before high-impact actions. +- Bedrock **pre-processing** can reject or classify suspicious requests before orchestration, and **Guardrails** can block prompt-injection attempts at runtime. They should be enabled even if prompt templates already contain “do not disclose” rules. + ## References - [When AI Remembers Too Much – Persistent Behaviors in Agents’ Memory (Unit 42)](https://unit42.paloaltonetworks.com/indirect-prompt-injection-poisons-ai-longterm-memory/) +- [When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications (Unit 42)](https://unit42.paloaltonetworks.com/amazon-bedrock-multiagent-applications/) - [Retain conversational context across multiple sessions using memory – Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/agents-memory.html) +- [How Amazon Bedrock Agents works](https://docs.aws.amazon.com/bedrock/latest/userguide/agents-how.html) - [Advanced prompt templates – Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/advanced-prompts-templates.html) - [Configure advanced prompts – Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/configure-advanced-prompts.html) - [Write a custom parser Lambda function in Amazon Bedrock Agents](https://docs.aws.amazon.com/bedrock/latest/userguide/lambda-parser.html)