AgentCore Security
Amazon Bedrock AgentCore (GA October 2025) is AWS's managed platform for running AI agents - Runtime, Code Interpreter, Memory, Gateway, Identity and Policy. Its security model is secure by AWS, misconfigured by customer: several attack surfaces are the customer's responsibility, and AWS does not fix them automatically. Palo Alto Unit 42's "Cracks in the Bedrock" research (2026) documented IAM "God Mode", sandbox network-isolation bypass, and credential-theft paths on this surface.
cloud-audit is the first open-source scanner with dedicated AgentCore checks. All checks are read-only (bedrock-agentcore-control list/get), with no per-call charge.
cloud-audit scan # AgentCore checks run automatically
cloud-audit scan --categories security # or scope to security
What it checks
| Check | What it flags | Severity |
|---|---|---|
aws-agc-001 |
Code Interpreter in PUBLIC network mode (unrestricted egress for attacker-influenced code) | HIGH |
aws-agc-002 |
Agent Runtime in PUBLIC network mode (data exfiltration path) | HIGH |
aws-agc-003 |
Agent Runtime that does not enforce MMDSv2 (SSRF / prompt-injection credential theft from the metadata endpoint) | HIGH |
aws-agc-004 |
Memory store without a customer-managed KMS key (no key-level audit / rotation / revocation over persisted agent data) | MEDIUM |
aws-agc-005 |
Gateway with no inbound authorizer (authorizerType=NONE) - open access to MCP tools and the backing IAM role |
HIGH |
aws-agc-006 |
Gateway with no enforcing policy engine (missing or LOG_ONLY) - no per-tool authorization |
MEDIUM |
Each finding ships a ready-to-use fix (AWS CLI + Terraform) and a breach-cost estimate, like every other cloud-audit check.
Why it matters
The most dangerous AgentCore issues are configuration choices AWS will not override:
- Code Interpreter privilege model - whoever can invoke a Code Interpreter executes code under its role, and a PUBLIC-mode sandbox can reach the internet. AWS classifies this design as expected behaviour, so the guardrail is yours to set.
- Metadata credential theft - an agent that fetches an attacker-controlled URL (prompt injection, SSRF) can read the runtime metadata endpoint and steal its IAM credentials unless MMDSv2 is enforced - the same class of risk IMDSv2 hardens on EC2.
- Open gateways - an AgentCore Gateway exposes MCP tools; without an authorizer and an enforcing policy engine, any caller reaches every tool and the IAM role behind it.
Honest framing and scope
- Read-only, and AgentCore is regional - regions or accounts without the service are skipped silently (no errors, no noise).
- PUBLIC network mode is sometimes intentional; the finding flags the egress/exfiltration risk and recommends VPC + Route 53 DNS Firewall, not a blanket failure.
- These are configuration checks. Runtime-only attacks (memory poisoning by content, prompt injection, malicious-MCP tool injection) are not deterministic config findings and are out of scope here.
- Field names, operations and enum values were verified against the live boto3 service model, not assumed.