diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md new file mode 100644 index 000000000..3f523b975 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md @@ -0,0 +1,88 @@ +# AWS Bedrock AgentCore - Code Interpreter Role Pivot + +## Service + +**Amazon Bedrock AgentCore** + +## Technique Name + +**Code Interpreter Role Pivot** (Privilege escalation/lateral movement via over-privileged `executionRoleArn`) + +## Why this Matters + +Amazon Bedrock AgentCore introduced a "Code Interpreter" feature in mid-2025 that acts as a managed compute surface. It executes code within a Firecracker MicroVM-isolated environment. The critical security hook is the **`executionRoleArn`**: this is the IAM identity the interpreter uses to interact with other AWS services. + +When a developer grants this service-linked role excessive permissions (e.g., `s3:*`, `secretsmanager:GetSecretValue`), any user with the ability to invoke the interpreter can effectively "hijack" those permissions to move laterally or escalate privileges within the account. + + +## Preconditions (The Misconfiguration) + +1. **Over-privileged Execution Role:** An AgentCore Code Interpreter is configured with a role that has access to sensitive data or administrative APIs. +2. **Broad Invocation Access:** A low-privileged IAM principal is granted permission to start or interact with these sessions. +3. **Governance Failure:** The environment is treated as "AI experimental tooling" rather than "Managed Compute," bypassing standard Least Privilege reviews. + + +## Required IAM Actions + +To execute this pivot, an attacker needs one or more of the following `bedrock-agentcore` actions: + +* `bedrock-agentcore:StartCodeInterpreterSession` +* `bedrock-agentcore:InvokeCodeInterpreter` +* `bedrock-agentcore:CreateCodeInterpreter` (Allows creating a session with a pre-existing role) + +> **Note on `iam:PassRole`:** In current AWS Service Authorization References, `CreateCodeInterpreter` does not explicitly list `iam:PassRole` as a dependency in the same way `CreateGateway` does. This creates a potential "PassRole-less" role selection edge case that should be validated in target environments. + + +## Exploitation Flow + +### 1. Reconnaissance + +Identify existing interpreters and their associated execution roles. + +```bash +aws bedrock-agentcore-control list-code-interpreters +aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id + +``` + +### 2. Session Initiation + +Start a session to gain access to the compute environment. + +```bash +aws bedrock-agentcore start-code-interpreter-session --code-interpreter-id + +``` + +### 3. Lateral Movement / Exfiltration + +Invoke the interpreter to execute Python code that uses the `executionRoleArn` credentials to access other services. + +```python +import boto3 +# The interpreter uses the executionRoleArn automatically +s3 = boto3.client('s3') +print(s3.list_buckets()) + +``` + + +## Mitigation & Detection + +### **Prevention** + +* **Apply Permission Boundaries:** Attach a boundary to the `executionRoleArn` to ensure it cannot perform IAM mutations or sensitive data deletions, regardless of its primary policy. +* **Restrict Invocation:** Limit `StartCodeInterpreterSession` and `InvokeCodeInterpreter` to specific, authorized admin principals. +* **Identity Scoping:** Use the `bedrock-agentcore:sessionId` and `bedrock-agentcore:actorId` condition keys to ensure sessions are isolated to specific users. + +### **Detection** + +* **CloudTrail Monitoring:** Monitor for `StartCodeInterpreterSession` events from unexpected IPs or principals. +* **Credential Usage:** Alert on the use of AgentCore execution role credentials (detectable via the `UserAgent` or `PrincipalId` in CloudTrail) to access S3 buckets or Secrets Manager outside of normal AI operations. + + +## References + +* [AWS CLI Reference: create-code-interpreter](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html) +* [AWS Service Authorization: Bedrock AgentCore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html) +* [AWS CLI: start-code-interpreter-session](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)