Skip to content

AgentCore Security

Amazon Bedrock AgentCore (GA October 2025) is AWS's managed platform for running AI agents - Runtime, Code Interpreter, Memory, Gateway, Identity and Policy. Its security model is secure by AWS, misconfigured by customer: several attack surfaces are the customer's responsibility, and AWS does not fix them automatically. Palo Alto Unit 42's "Cracks in the Bedrock" research (2026) documented IAM "God Mode", sandbox network-isolation bypass, and credential-theft paths on this surface.

cloud-audit is the first open-source scanner with dedicated AgentCore checks. All checks are read-only (bedrock-agentcore-control list/get), with no per-call charge.

cloud-audit scan                       # AgentCore checks run automatically
cloud-audit scan --categories security # or scope to security

What it checks

Check What it flags Severity
aws-agc-001 Code Interpreter in PUBLIC network mode (unrestricted egress for attacker-influenced code) HIGH
aws-agc-002 Agent Runtime in PUBLIC network mode (data exfiltration path) HIGH
aws-agc-003 Agent Runtime that does not enforce MMDSv2 (SSRF / prompt-injection credential theft from the metadata endpoint) HIGH
aws-agc-004 Memory store without a customer-managed KMS key (no key-level audit / rotation / revocation over persisted agent data) MEDIUM
aws-agc-005 Gateway with no inbound authorizer (authorizerType=NONE) - open access to MCP tools and the backing IAM role HIGH
aws-agc-006 Gateway with no enforcing policy engine (missing or LOG_ONLY) - no per-tool authorization MEDIUM

Each finding ships a ready-to-use fix (AWS CLI + Terraform) and a breach-cost estimate, like every other cloud-audit check.

Why it matters

The most dangerous AgentCore issues are configuration choices AWS will not override:

  • Code Interpreter privilege model - whoever can invoke a Code Interpreter executes code under its role, and a PUBLIC-mode sandbox can reach the internet. AWS classifies this design as expected behaviour, so the guardrail is yours to set.
  • Metadata credential theft - an agent that fetches an attacker-controlled URL (prompt injection, SSRF) can read the runtime metadata endpoint and steal its IAM credentials unless MMDSv2 is enforced - the same class of risk IMDSv2 hardens on EC2.
  • Open gateways - an AgentCore Gateway exposes MCP tools; without an authorizer and an enforcing policy engine, any caller reaches every tool and the IAM role behind it.

Honest framing and scope

  • Read-only, and AgentCore is regional - regions or accounts without the service are skipped silently (no errors, no noise).
  • PUBLIC network mode is sometimes intentional; the finding flags the egress/exfiltration risk and recommends VPC + Route 53 DNS Firewall, not a blanket failure.
  • These are configuration checks. Runtime-only attacks (memory poisoning by content, prompt injection, malicious-MCP tool injection) are not deterministic config findings and are out of scope here.
  • Field names, operations and enum values were verified against the live boto3 service model, not assumed.