Key Findings

• Eight validated attack vectors discovered across AWS Bedrock environments, spanning log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning

• Attack chains begin with low-level permissions and escalate to reach critical enterprise assets including Salesforce, SharePoint, Active Directory, and databases

• Knowledge bases and agents represent the highest-value targets due to their direct connectivity to proprietary data sources and integrated SaaS platforms

• Credential theft is a common attack pattern across multiple vectors, particularly affecting vector database and SaaS integrations

• Log manipulation enables attackers to eliminate forensic evidence of jailbreaking and unauthorized model access

Background

AWS Bedrock is Amazon's managed service for building AI-powered applications. The platform provides developers with access to foundation models and tools to integrate those models directly with enterprise data sources and business systems. This connectivity - the ability for AI agents to query Salesforce, trigger Lambda functions, or pull from SharePoint - is what makes Bedrock powerful for enterprises. It's also what makes it a security target. When an AI agent becomes a node in your infrastructure with actual permissions and reachability to critical systems, it opens new attack pathways that traditional security controls may not address.

The XM Cyber threat research team conducted a comprehensive analysis of the full Bedrock stack to map these pathways. Each attack vector discovered starts with achievable permissions and potentially ends with unauthorized access to sensitive enterprise systems.

Model Invocation Log Attacks

Bedrock logs every model interaction for compliance and auditing purposes. These logs become a shadow attack surface that threat actors can exploit in multiple ways.

An attacker with read access to the S3 bucket storing these logs can harvest sensitive data directly from existing logs. If that approach fails, they can use the bedrock:PutModelInvocationLoggingConfiguration permission to redirect all future logs to an attacker-controlled bucket, creating a silent channel where every prompt sent to the model flows to the attacker.

A second variant targets log destruction. With s3:DeleteObject or logs:DeleteLogStream permissions, an attacker can scrub evidence of jailbreaking attempts and unauthorized activity, effectively erasing the forensic trail of their actions.

Knowledge Base Attacks - Data Source

Bedrock Knowledge Bases connect foundation models to enterprise data through Retrieval Augmented Generation (RAG). The data sources feeding these knowledge bases - S3 buckets, Salesforce instances, SharePoint libraries, and Confluence spaces - are directly accessible from Bedrock's execution context.

An attacker with s3:GetObject access to a knowledge base data source can bypass the model entirely and pull raw data directly from the underlying storage bucket. This is particularly dangerous because it circumvents any safeguards built into the model layer.

More critically, an attacker who can retrieve and decrypt the secrets Bedrock uses to authenticate with integrated SaaS services gains those same credentials. In the case of SharePoint credentials, this creates a pathway for lateral movement into Active Directory and other connected enterprise systems.

Knowledge Base Attacks - Data Store

While data sources are where information originates, data stores are where ingested information lives after processing - indexed, structured, and queryable in real time. Bedrock integrates with vector databases like Pinecone and Redis Enterprise Cloud, where stored credentials often represent the weakest link.

An attacker with access to credentials and network reachability can retrieve endpoint values and API keys from the StorageConfiguration object via the bedrock:GetKnowledgeBase API, gaining full administrative access to the vector indices and the knowledge they contain.

For AWS-native data stores like Aurora and Redshift, intercepted database credentials give an attacker direct access to the entire structured knowledge base without needing to go through the model at all.

Agent Attacks - Direct

Bedrock Agents are autonomous orchestrators that execute tasks by calling tools and APIs. An attacker with bedrock:UpdateAgent or bedrock:CreateAgent permissions can rewrite an agent's base prompt to force it to leak its internal instructions and tool schemas - revealing exactly what the agent can do and what systems it can reach.

The same permissions combined with bedrock:CreateAgentActionGroup allow an attacker to attach a malicious executor to a legitimate agent. This enables unauthorized actions like database modifications or user account creation, all executed under the appearance of normal AI workflow activity.

Agent Attacks - Indirect

Instead of modifying the agent itself, indirect attacks target the infrastructure the agent depends on. An attacker with lambda:UpdateFunctionCode can deploy malicious code directly to the Lambda function an agent uses for task execution.

A variant using lambda:PublishLayer allows silent injection of malicious dependencies into that same function. Both approaches result in malicious code injection into tool calls, which can exfiltrate sensitive data, manipulate model responses to generate harmful output, or trigger unauthorized actions.

Flow Attacks

Bedrock Flows define the sequence of steps a model follows to complete a task. An attacker with bedrock:UpdateFlow permissions can inject a sidecar node - either an "S3 Storage Node" or "Lambda Function Node" - directly into a critical workflow's main data path. This routes sensitive inputs and outputs to attacker-controlled endpoints without breaking the application's logic or raising obvious alarms.

The same access can modify "Condition Nodes" that enforce business rules, bypassing hardcoded authorization checks and allowing unauthorized requests to reach sensitive downstream systems. A third variant targets encryption by swapping customer-managed keys, creating scenarios where attackers can access encrypted data in transit.

Sources

• https://thehackernews.com/2026/03/we-found-eight-attack-vectors-inside.html

• https://www.youtube.com/watch?v=zBpSKOc51CA