{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-bedrock-agentcore/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Bedrock AgentCore"],"_cs_severities":["high"],"_cs_tags":["cloud-security","llm","ai","prompt-injection","credential-access","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief details attempts to weaponize Amazon Bedrock AgentCore runtimes for credential theft and data exfiltration. Attackers craft malicious prompts targeting the agent to either extract sensitive information directly or coerce it into revealing internal system details. The threat leverages prompt injection techniques to bypass agent guardrails and access cloud instance metadata services (IMDS), AWS access and secret keys, or to exfiltrate data to external endpoints. While the agent may refuse these requests, the very attempt is a strong indicator of malicious intent, as a misconfigured or highly capable agent could comply, leading to the compromise of AWS resources. This activity highlights the importance of securing AI agents and monitoring their interactions for suspicious prompts that could lead to credential access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance \u0026amp; Crafting\u003c/strong\u003e: An attacker researches AWS Bedrock AgentCore capabilities and identifies potential weaknesses for prompt injection or data exfiltration. They craft a malicious prompt designed to access sensitive information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Prompt Delivery)\u003c/strong\u003e: The attacker sends the crafted prompt to the Bedrock AgentCore runtime (e.g., via a web application frontend, API gateway, or direct \u003ccode\u003eInvokeAgentRuntime\u003c/code\u003e call).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInstruction Injection\u003c/strong\u003e: The AgentCore runtime processes the prompt, which contains instructions referencing cloud instance metadata service IPs (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e, \u003ccode\u003e169.254.170.2\u003c/code\u003e), specific metadata paths (\u003ccode\u003e/latest/meta-data\u003c/code\u003e, \u003ccode\u003e/security-credentials\u003c/code\u003e), explicit AWS access key names (\u003ccode\u003eaws_secret_access_key\u003c/code\u003e, \u003ccode\u003eaws_access_key_id\u003c/code\u003e), or a combination of \u0026quot;jailbreak\u0026quot; language (e.g., \u0026quot;ignore previous instructions\u0026quot;, \u0026quot;developer mode\u0026quot;) with intent to reveal system prompts, credentials, or exfiltrate data to an external URL.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Processing \u0026amp; Potential Action\u003c/strong\u003e: The agent attempts to interpret and act on the malicious instructions. If the agent is misconfigured, has code execution capabilities, or possesses network access to the specified endpoints, it might attempt to retrieve or generate the requested sensitive information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Conditional)\u003c/strong\u003e: If the agent complies with the malicious prompt and has outbound network access, it might send the harvested credentials, API keys, or other sensitive data to an attacker-controlled external endpoint (e.g., \u003ccode\u003ehttps://attacker.com/data\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Acquisition \u0026amp; Abuse\u003c/strong\u003e: The attacker receives the exfiltrated credentials or sensitive data, which can then be used to gain unauthorized access to AWS resources, escalate privileges, or conduct further attacks within the cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of an AWS Bedrock AgentCore through credential harvesting or data exfiltration can lead to severe consequences. Attackers can gain unauthorized access to AWS accounts and resources, potentially leading to data breaches, privilege escalation, resource modification or deletion, and financial losses due to unauthorized resource usage. The impact can extend across multiple services if the compromised credentials have broad permissions. Organizations using vulnerable agents could face significant reputational damage, regulatory fines, and disruption of critical business operations. Even if the agent refuses the request, the presence of such malicious prompts indicates targeted efforts to breach cloud security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and monitor for alerts on suspicious prompts targeting AWS Bedrock AgentCore.\u003c/li\u003e\n\u003cli\u003eEnsure \u003ccode\u003eaws_bedrock_agentcore.runtime_application_logs\u003c/code\u003e are enabled and ingested into your security monitoring platform to capture the necessary telemetry for this detection.\u003c/li\u003e\n\u003cli\u003eReview the full prompt in \u003ccode\u003eaws.bedrock_agentcore.request_payload.prompt\u003c/code\u003e for any detected incidents to confirm intent.\u003c/li\u003e\n\u003cli\u003eIdentify the agent using \u003ccode\u003eaws.bedrock_agentcore.agent_name\u003c/code\u003e or \u003ccode\u003eaws.bedrock_agentcore.resource_arn\u003c/code\u003e and the session with \u003ccode\u003eaws.bedrock_agentcore.session_id\u003c/code\u003e to investigate surrounding prompts.\u003c/li\u003e\n\u003cli\u003eVerify that AgentCore guardrails are configured to block instance-metadata and credential-exfiltration prompts.\u003c/li\u003e\n\u003cli\u003eEnsure IMDSv2 is enforced, and agent execution roles are configured with the principle of least privilege, especially if the agent has code execution or outbound network access capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T07:56:18Z","date_published":"2026-07-14T07:56:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-credential-harvesting/","summary":"This rule detects prompts sent to Amazon Bedrock AgentCore runtimes that attempt to harvest credentials or exfiltrate data by referencing cloud instance metadata services, explicit AWS access/secret keys, or combining prompt-injection/jailbreak language with intent to reveal secrets or send data to external endpoints, indicating an attempt to weaponize the agent for credential theft.","title":"AWS Bedrock AgentCore Runtime Prompt Targeting Credentials or Instance Metadata","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-credential-harvesting/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon Bedrock AgentCore","version":"https://jsonfeed.org/version/1.1"}