Back to News
Artificial Intelligence

AWS Bedrock Security Research Exposes Eight Dangerous AI Attack Paths

CyberSecurityWaala 4 days ago Mar 23, 2026
AWS Bedrock Security Research Exposes Eight Dangerous AI Attack Paths

Security researchers at XM Cyber say the power that makes AWS Bedrock useful for enterprise AI can also make it risky.

How the Attack Works

Bedrock connects foundation models to company data, SaaS tools, cloud functions, and automated workflows.

In a report on secure agentic AI applications, the XM Cyber threat research team said that connectivity creates eight validated attack vectors that can let an intruder move from a low level permission to sensitive data, administrative control, or even wider cloud compromise.

The first risk sits in model invocation logs. Bedrock records model activity for auditing and compliance, but XM Cyber said attackers can abuse that log path in two ways.

  • If they can read the S3 bucket that stores logs, they may be able to harvest prompts and responses directly.
  • If they have access to bedrock:PutModelInvocationLoggingConfiguration, they can redirect those logs to a bucket they control.
  • XM Cyber also said permissions such as s3:DeleteObject or logs:DeleteLogStream can erase evidence of jailbreak attempts and make forensics much harder.

Knowledge Bases and Data Stores

From there, the researchers moved to Knowledge Bases, which use retrieval augmented generation to connect models to internal sources like S3 buckets, Salesforce, SharePoint, and Confluence.

XM Cyber said a user with s3:GetObject access to a data source could bypass the model and pull the raw data directly.

In some cases, secrets used to connect Bedrock to SaaS systems can be decrypted and stolen, which could even create a path into Active Directory if SharePoint credentials are reused or trusted upstream.

The team also examined the data stores behind those Knowledge Bases.

With vector databases such as Pinecone and Redis Enterprise Cloud, XM Cyber said attackers who can reach the credentials and network endpoints may be able to extract endpoint values and API keys from the StorageConfiguration object returned by the bedrock:GetKnowledgeBase API.

That can lead to full administrative access to the vector index.

For AWS native stores like Aurora and Redshift, stolen credentials can open the entire structured knowledge base.

Bedrock Agents

Bedrock Agents create another layer of exposure.

XM Cyber said an attacker with bedrock:UpdateAgent or bedrock:CreateAgent permissions can rewrite the agent base prompt and force it to reveal its internal instructions and tool schema.

With bedrock:CreateAgentActionGroup, the attacker can attach a malicious executor to a legitimate agent, which may allow unauthorized database changes or user creation while hiding inside what looks like a normal AI workflow.

The same idea works indirectly too.

If an attacker can use lambda:UpdateFunctionCode or lambda:PublishLayer, they can plant malicious code in the Lambda functions that agents call, then exfiltrate data or alter responses from the inside.

Flows

Flows are also a target.

XM Cyber said Bedrock Flows can be changed with bedrock:UpdateFlow to add a sidecar S3 Storage Node or Lambda Function Node into the main data path.

That can quietly copy sensitive inputs and outputs to an attacker controlled endpoint.

The researchers also found that Condition Nodes, which enforce business rules, can be modified to bypass authorization logic.

In a more advanced move, an attacker can swap the Customer Managed Key for a flow and make future flow states encrypt with the attacker’s key.

Guardrails and Prompt Management

Guardrails and prompt management round out the list.

Guardrails are meant to block toxic content, stop prompt injection, and redact personal data, but XM Cyber said bedrock:UpdateGuardrail can lower those protections and bedrock:DeleteGuardrail can remove them completely.

Managed prompts are no safer if an attacker gets bedrock:UpdatePrompt.

By poisoning a shared template, an attacker can make every app or agent that uses that prompt follow malicious instructions, such as leaking PII or adding unwanted links, without triggering a redeployment.

Why This Matters

XM Cyber said the common thread is not the model itself, but the permissions and integrations around it.

As the researchers put it, a single overprivileged identity can be enough to redirect logs, hijack an agent, poison a prompt, or reach critical systems from inside Bedrock.

That warning fits a separate incident described by the Sysdig Threat Research Team, which said an attacker took over a cloud environment in just eight minutes after finding test credentials in a public S3 bucket.

Sysdig said the attacker used read only access to scout the environment, then moved through Lambda functions to gain full administrative control.

What AWS Said

After that breach, an AWS spokesperson told Hackread.com, “AWS services and infrastructure are not affected by this issue, and they operated as designed throughout the incident described.”

The spokesperson added, “We recommend all customers secure their cloud resources by following security, identity, and compliance best practices, including never opening up public access to S3 buckets or any storage service, least privilege access, secure credential management, and enabling monitoring services like GuardDuty, to reduce risks of unauthorized activity.”

Industry Reactions

Industry experts said the speed of these attacks should change how teams think about cloud defense.

  • Ram Varadarajan, CEO at Acalvio, said organizations must accept that “the speed of the breach has shifted from days to minutes.”
  • Shane Barney, Chief Information Security Officer at Keeper Security, said the problem is structural, noting that “AI does not invent new attack vectors here. It removes hesitation.”
  • Jason Soroko, Senior Fellow at Sectigo, said the breach started with a “mundane error” because valid credentials were left exposed in public S3 buckets.

What Security Teams Should Do

For security teams, the message is clear.

AI systems need the same discipline as any other critical infrastructure, with least privilege access, strong monitoring, careful secret handling, and constant review of what each model, agent, and workflow can touch.

#AWS #Bedrock #AISecurity #CloudSecurity #CyberSecurity #PromptInjection

#AI Agent #ai security #AWS