HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

AWS Bedrock AgentCore Toolkit Grants Overly Broad IAM Permissions, Enabling “Agent God Mode” Privilege Escalation

Unit 42 uncovered that the default IAM roles created by AWS Bedrock’s AgentCore starter toolkit provide sweeping account‑wide privileges. A compromised AI agent can exfiltrate images, read other agents’ memory, and invoke any code interpreter, posing a high‑severity risk for organizations using the toolkit.

LiveThreat™ Intelligence · 📅 April 09, 2026· 📰 unit42.paloaltonetworks.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
unit42.paloaltonetworks.com

AWS Bedrock AgentCore Toolkit Grants Overly Broad IAM Permissions, Enabling “Agent God Mode” Privilege Escalation

What Happened – Palo Alto Unit 42 discovered that the default IAM roles created by the Amazon Bedrock AgentCore starter toolkit grant sweeping permissions across the entire AWS account. This mis‑configuration enables a compromised agent to exfiltrate ECR images, read other agents’ memory, invoke any code interpreter, and extract sensitive data – a condition the researchers label “Agent God Mode.”

Why It Matters for TPRM

  • Over‑privileged default roles violate the principle of least privilege, increasing third‑party risk for any organization that adopts the toolkit.
  • A single compromised AI agent can become a pivot point to access all other Bedrock workloads, potentially exposing proprietary models and data.
  • The issue is systemic across all accounts that use the default deployment configuration, affecting any downstream SaaS or internal services that rely on Bedrock agents.

Who Is Affected – Cloud service providers, enterprises running AI workloads on AWS Bedrock, SaaS vendors embedding Bedrock agents, and any MSPs managing such environments.

Recommended Actions

  • Review all Bedrock AgentCore deployments and replace default IAM roles with custom, least‑privilege policies.
  • Conduct a permissions audit of existing AgentCore runtimes and ECR repositories.
  • Enable AWS IAM Access Analyzer and enforce role‑based access controls for AI agents.
  • Update incident response playbooks to include detection of anomalous agent activity and DNS‑tunneling traffic.

Technical Notes – The vulnerability stems from the toolkit’s auto‑create logic that assigns AdministratorAccess‑style permissions to the AgentCore execution role, exposing ECR, S3, and other services. Attackers can leverage DNS tunneling to bypass the Code Interpreter sandbox and exfiltrate data. No CVE has been assigned; AWS has added a security warning to its documentation, noting the roles are intended only for development/testing. Source: https://unit42.paloaltonetworks.com/exploit-of-aws-agentcore-iam-god-mode/

📰 Original Source
https://unit42.paloaltonetworks.com/exploit-of-aws-agentcore-iam-god-mode/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →