Cracks in the Bedrock: Agent God Mode
Unit 42 discloses ‘Agent God Mode’ — a multi-stage attack chain stemming from overly broad IAM roles auto-generated by the AWS Bedrock AgentCore starter toolkit. The default execution role applies wildcard resource ARNs (arn:aws:bedrock-agentcore::memory/) granting any agent read/write access to every other agent’s memory store in the account, enabling cross-agent state poisoning and sensitive data exfiltration. Additionally, the default policy grants InvokeCodeInterpreter on all Code Interpreter resources (*), allowing a compromised agent to invoke high-privileged interpreters it does not own, creating an indirect privilege escalation path since interpreter actions execute under the interpreter’s IAM role rather than the invoking agent’s. Combined with ECR image pull permissions scoped too broadly, an attacker who compromises a single agent can enumerate and compromise every other AgentCore deployment in the AWS account. AWS updated their documentation post-disclosure to flag the default roles as development/testing-only, but existing deployments using the toolkit defaults remain exposed.