Unit 42 Uncovers 'Agent God Mode' Attack Vector in AWS Bedrock AgentCore Starter Toolkit
Researchers at Unit 42 have discovered a critical IAM misconfiguration in the AWS Bedrock AgentCore starter toolkit that grants overly broad permissions, enabling a compromised AI agent to escalate privileges and access every other agent in the account.
Unit 42 researchers have identified a dangerous attack vector in the AWS Bedrock AgentCore starter toolkit, which they have dubbed 'Agent God Mode.' The vulnerability stems from the toolkit's default IAM role generation, which grants permissions broadly across the entire AWS account rather than scoping them to individual resources. This misconfiguration allows an attacker who compromises a single AI agent to exfiltrate proprietary ECR images, access other agents' memories, invoke every code interpreter, and extract sensitive data from across the account.
The AgentCore starter toolkit is designed to simplify the deployment of AI agents by automating the creation of runtimes, Amazon Elastic Container Registry (ECR) images, and execution roles. However, the auto-create logic generates IAM policies that favor ease of deployment over security. For example, the default policy for memory resources applies actions such as `GetMemory` and `RetrieveMemoryRecords` to the wildcard resource `arn:aws:bedrock-agentcore:*:memory/*`, effectively allowing any agent to read the memories of all other agents in the account. Similarly, the `InvokeCodeInterpreter` action is granted on all Code Interpreter resources, enabling privilege escalation through a compromised agent.
The attack chain uncovered by Unit 42 involves multiple stages. First, an attacker compromises an agent, then uses its broad permissions to perform reconnaissance, listing available interpreters and identifying high-privileged targets. By invoking a code interpreter with elevated privileges, the attacker can pivot and execute arbitrary code. Additionally, the default policy grants unrestricted access to ECR repositories, allowing the attacker to pull Docker images containing source code, proprietary algorithms, and other sensitive data from any repository in the account.
Perhaps the most critical finding relates to the Elastic Container Registry (ECR). The default policy grants the AI agent unrestricted ability to pull images from any repository (`arn:aws:ecr:*:repository/*`) within the account. This creates a high-risk exfiltration vector: from a compromised agent, an attacker can generate an authentication token to download source code, proprietary algorithms, internal files, and other sensitive data from images of other agents and unrelated workloads across the entire account.
Unit 42 disclosed their findings to the AWS Security team. In response, AWS updated the documentation for the starter toolkit to include a security warning, stating that the default roles are 'designed for development and testing purposes' and are not recommended for production deployment. The warning advises users to review and customize IAM policies to adhere to the principle of least privilege before deploying agents in production environments.
The discovery highlights a broader pattern of security risks in the rapid deployment of AI agents. As-a-Service AI tools. As organizations increasingly adopt AI agents for automation and decision-making, the default configurations of these tools often prioritize speed over security. The 'Agent God Mode' vulnerability serves as a stark reminder that IAM misconfigurations can have cascading effects, turning a single compromised agent into a gateway for widespread account compromise.
Palo Alto Networks customers are protected from these threats through Cortex AI-SPM and Cortex Cloud Identity Security. The Unit 42 team also offers AI Security Assessments and Cloud Security Assessments to help organizations identify and remediate similar risks. Organizations using the AWS Bedrock AgentCore starter toolkit are urged to review their IAM policies immediately and ensure that permissions are scoped to the minimum necessary resources.