<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amazon Bedrock AgentCore - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/amazon-bedrock-agentcore/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 07:56:18 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/amazon-bedrock-agentcore/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Bedrock AgentCore Runtime Prompt Targeting Credentials or Instance Metadata</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-credential-harvesting/</link><pubDate>Tue, 14 Jul 2026 07:56:18 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-credential-harvesting/</guid><description>This rule detects prompts sent to Amazon Bedrock AgentCore runtimes that attempt to harvest credentials or exfiltrate data by referencing cloud instance metadata services, explicit AWS access/secret keys, or combining prompt-injection/jailbreak language with intent to reveal secrets or send data to external endpoints, indicating an attempt to weaponize the agent for credential theft.</description><content:encoded><![CDATA[<p>This threat brief details attempts to weaponize Amazon Bedrock AgentCore runtimes for credential theft and data exfiltration. Attackers craft malicious prompts targeting the agent to either extract sensitive information directly or coerce it into revealing internal system details. The threat leverages prompt injection techniques to bypass agent guardrails and access cloud instance metadata services (IMDS), AWS access and secret keys, or to exfiltrate data to external endpoints. While the agent may refuse these requests, the very attempt is a strong indicator of malicious intent, as a misconfigured or highly capable agent could comply, leading to the compromise of AWS resources. This activity highlights the importance of securing AI agents and monitoring their interactions for suspicious prompts that could lead to credential access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance &amp; Crafting</strong>: An attacker researches AWS Bedrock AgentCore capabilities and identifies potential weaknesses for prompt injection or data exfiltration. They craft a malicious prompt designed to access sensitive information.</li>
<li><strong>Initial Access (Prompt Delivery)</strong>: The attacker sends the crafted prompt to the Bedrock AgentCore runtime (e.g., via a web application frontend, API gateway, or direct <code>InvokeAgentRuntime</code> call).</li>
<li><strong>Instruction Injection</strong>: The AgentCore runtime processes the prompt, which contains instructions referencing cloud instance metadata service IPs (e.g., <code>169.254.169.254</code>, <code>169.254.170.2</code>), specific metadata paths (<code>/latest/meta-data</code>, <code>/security-credentials</code>), explicit AWS access key names (<code>aws_secret_access_key</code>, <code>aws_access_key_id</code>), or a combination of &quot;jailbreak&quot; language (e.g., &quot;ignore previous instructions&quot;, &quot;developer mode&quot;) with intent to reveal system prompts, credentials, or exfiltrate data to an external URL.</li>
<li><strong>Agent Processing &amp; Potential Action</strong>: The agent attempts to interpret and act on the malicious instructions. If the agent is misconfigured, has code execution capabilities, or possesses network access to the specified endpoints, it might attempt to retrieve or generate the requested sensitive information.</li>
<li><strong>Exfiltration (Conditional)</strong>: If the agent complies with the malicious prompt and has outbound network access, it might send the harvested credentials, API keys, or other sensitive data to an attacker-controlled external endpoint (e.g., <code>https://attacker.com/data</code>).</li>
<li><strong>Credential Acquisition &amp; Abuse</strong>: The attacker receives the exfiltrated credentials or sensitive data, which can then be used to gain unauthorized access to AWS resources, escalate privileges, or conduct further attacks within the cloud environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of an AWS Bedrock AgentCore through credential harvesting or data exfiltration can lead to severe consequences. Attackers can gain unauthorized access to AWS accounts and resources, potentially leading to data breaches, privilege escalation, resource modification or deletion, and financial losses due to unauthorized resource usage. The impact can extend across multiple services if the compromised credentials have broad permissions. Organizations using vulnerable agents could face significant reputational damage, regulatory fines, and disruption of critical business operations. Even if the agent refuses the request, the presence of such malicious prompts indicates targeted efforts to breach cloud security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM and monitor for alerts on suspicious prompts targeting AWS Bedrock AgentCore.</li>
<li>Ensure <code>aws_bedrock_agentcore.runtime_application_logs</code> are enabled and ingested into your security monitoring platform to capture the necessary telemetry for this detection.</li>
<li>Review the full prompt in <code>aws.bedrock_agentcore.request_payload.prompt</code> for any detected incidents to confirm intent.</li>
<li>Identify the agent using <code>aws.bedrock_agentcore.agent_name</code> or <code>aws.bedrock_agentcore.resource_arn</code> and the session with <code>aws.bedrock_agentcore.session_id</code> to investigate surrounding prompts.</li>
<li>Verify that AgentCore guardrails are configured to block instance-metadata and credential-exfiltration prompts.</li>
<li>Ensure IMDSv2 is enforced, and agent execution roles are configured with the principle of least privilege, especially if the agent has code execution or outbound network access capabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud-security</category><category>llm</category><category>ai</category><category>prompt-injection</category><category>credential-access</category><category>data-exfiltration</category></item></channel></rss>