<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Microvm - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/microvm/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 06:32:41 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/microvm/feed.xml" rel="self" type="application/rss+xml"/><item><title>Abuse of AWS Bedrock AgentCore Execution Role Credentials for Cloud Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-agentcore-cred-abuse/</link><pubDate>Fri, 17 Jul 2026 06:32:41 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-bedrock-agentcore-cred-abuse/</guid><description>Anomalous AWS API calls by an Amazon Bedrock AgentCore execution role indicate potential credential exfiltration and abuse for cloud privilege escalation, lateral movement, or reconnaissance outside its intended runtime environment.</description><content:encoded><![CDATA[<p>Attackers are exploiting vulnerabilities within AWS Code Interpreter microVMs to exfiltrate temporary credentials from Amazon Bedrock AgentCore execution roles. Normally, these roles are restricted to interacting with Bedrock inference, AgentCore data-plane, and observability services like CloudWatch Logs, X-Ray, and CloudWatch metrics. Public research highlights a string-filter bypass that allows an attacker to steal these credentials via the instance metadata service (IMDS). Once exfiltrated, these compromised credentials enable attackers to perform unauthorized AWS API calls to services such as STS, EC2, IAM, or Secrets Manager. This activity, logged under the legitimate AgentCore execution role's identity in CloudTrail, signals malicious reconnaissance, privilege escalation, or lateral movement within the AWS environment, making detection of the first anomalous service call crucial for defense.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises an Amazon Bedrock AgentCore's Code Interpreter microVM, likely by exploiting a string-filter bypass vulnerability within the sandbox environment.</li>
<li>The attacker abuses the compromised microVM's access to the instance metadata service (IMDS) to retrieve temporary AWS credentials for the AgentCore execution role.</li>
<li>The attacker successfully exfiltrates these temporary AWS credentials, associated with the AgentCore execution role, from the microVM sandbox.</li>
<li>The exfiltrated credentials are then used to make unauthorized AWS API calls to services outside the AgentCore's normal operational scope, such as <code>sts:GetCallerIdentity</code>, <code>ec2:Describe*</code>, or <code>iam:List*/Get*</code> for reconnaissance.</li>
<li>The attacker leverages these stolen credentials to attempt privilege escalation (e.g., <code>sts:AssumeRole</code>, <code>iam:Put*/Attach*</code>) or achieve lateral movement to other AWS resources and accounts.</li>
<li>The successful abuse results in unauthorized access to sensitive data, modification of AWS resources, or further deep compromise of the cloud environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exfiltration and abuse of AWS Bedrock AgentCore execution role credentials can lead to significant unauthorized access within an organization's AWS environment. Attackers can perform extensive reconnaissance, gain elevated privileges, and move laterally across various AWS services. This allows them to access sensitive data, modify critical configurations, deploy additional malicious resources, or disrupt operations. The compromise can impact a wide range of AWS-dependent applications and services, leading to data breaches, service outages, and potential financial and reputational damage. The broad access afforded by assumed roles means that the blast radius of such an incident can be substantial, affecting multiple cloud accounts or entire organizational infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS Bedrock AgentCore Execution Role Used Outside Its Runtime&quot; to your SIEM and tune for your environment to detect anomalous API calls.</li>
<li>Review the <code>aws.cloudtrail.user_identity.session_context.session_issuer.arn</code> and <code>event.provider</code> fields for any triggered alerts and investigate the legitimacy of the activity.</li>
<li>Restrict Bedrock AgentCore execution roles to the principle of least privilege, ensuring they only have access to necessary services and actions.</li>
<li>Configure AWS Code Interpreter microVMs to use VPC network mode where possible and ensure the instance metadata service requires session tokens to mitigate credential exfiltration risks.</li>
<li>If unauthorized activity is confirmed, immediately revoke the affected execution role's active sessions and rotate any associated secrets.</li>
<li>Refer to the provided references from Sonrai Security and Palo Alto Networks Unit 42 for further details on string-filter bypasses and sandbox escapes.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud-security</category><category>aws</category><category>bedrock</category><category>privilege-escalation</category><category>credential-access</category><category>microvm</category><category>code-interpreter</category></item></channel></rss>