Revise AWS Bedrock AgentCore Code Interpreter documentation

Updated the AWS Bedrock AgentCore documentation to clarify the Code Interpreter Role Pivot technique, including details on preconditions, required IAM actions, exploitation flow, and mitigation strategies.

src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md

@@ -0,0 +1,88 @@
+# AWS Bedrock AgentCore - Code Interpreter Role Pivot
+
+## Service
+
+**Amazon Bedrock AgentCore**
+
+## Technique Name
+
+**Code Interpreter Role Pivot** (Privilege escalation/lateral movement via over-privileged `executionRoleArn`)
+
+## Why this Matters
+
+Amazon Bedrock AgentCore introduced a "Code Interpreter" feature in mid-2025 that acts as a managed compute surface. It executes code within a Firecracker MicroVM-isolated environment. The critical security hook is the **`executionRoleArn`**: this is the IAM identity the interpreter uses to interact with other AWS services.
+
+When a developer grants this service-linked role excessive permissions (e.g., `s3:*`, `secretsmanager:GetSecretValue`), any user with the ability to invoke the interpreter can effectively "hijack" those permissions to move laterally or escalate privileges within the account.
+
+
+## Preconditions (The Misconfiguration)
+
+1. **Over-privileged Execution Role:** An AgentCore Code Interpreter is configured with a role that has access to sensitive data or administrative APIs.
+2. **Broad Invocation Access:** A low-privileged IAM principal is granted permission to start or interact with these sessions.
+3. **Governance Failure:** The environment is treated as "AI experimental tooling" rather than "Managed Compute," bypassing standard Least Privilege reviews.
+
+
+## Required IAM Actions
+
+To execute this pivot, an attacker needs one or more of the following `bedrock-agentcore` actions:
+
+* `bedrock-agentcore:StartCodeInterpreterSession`
+* `bedrock-agentcore:InvokeCodeInterpreter`
+* `bedrock-agentcore:CreateCodeInterpreter` (Allows creating a session with a pre-existing role)
+
+> **Note on `iam:PassRole`:** In current AWS Service Authorization References, `CreateCodeInterpreter` does not explicitly list `iam:PassRole` as a dependency in the same way `CreateGateway` does. This creates a potential "PassRole-less" role selection edge case that should be validated in target environments.
+
+
+## Exploitation Flow
+
+### 1. Reconnaissance
+
+Identify existing interpreters and their associated execution roles.
+
+```bash
+aws bedrock-agentcore-control list-code-interpreters
+aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <TARGET_ID>
+
+```
+
+### 2. Session Initiation
+
+Start a session to gain access to the compute environment.
+
+```bash
+aws bedrock-agentcore start-code-interpreter-session --code-interpreter-id <TARGET_ID>
+
+```
+
+### 3. Lateral Movement / Exfiltration
+
+Invoke the interpreter to execute Python code that uses the `executionRoleArn` credentials to access other services.
+
+```python
+import boto3
+# The interpreter uses the executionRoleArn automatically
+s3 = boto3.client('s3')
+print(s3.list_buckets())
+
+```
+
+
+## Mitigation & Detection
+
+### **Prevention**
+
+* **Apply Permission Boundaries:** Attach a boundary to the `executionRoleArn` to ensure it cannot perform IAM mutations or sensitive data deletions, regardless of its primary policy.
+* **Restrict Invocation:** Limit `StartCodeInterpreterSession` and `InvokeCodeInterpreter` to specific, authorized admin principals.
+* **Identity Scoping:** Use the `bedrock-agentcore:sessionId` and `bedrock-agentcore:actorId` condition keys to ensure sessions are isolated to specific users.
+
+### **Detection**
+
+* **CloudTrail Monitoring:** Monitor for `StartCodeInterpreterSession` events from unexpected IPs or principals.
+* **Credential Usage:** Alert on the use of AgentCore execution role credentials (detectable via the `UserAgent` or `PrincipalId` in CloudTrail) to access S3 buckets or Secrets Manager outside of normal AI operations.
+
+
+## References
+
+* [AWS CLI Reference: create-code-interpreter](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html)
+* [AWS Service Authorization: Bedrock AgentCore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html)
+* [AWS CLI: start-code-interpreter-session](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)