When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications

This red-team assessment explores how prompt-injection across Amazon Bedrock multi-agent orchestration (Supervisor and Supervisor-with-Routing modes) can be chained to discover collaborator agents, extract internal instructions and tool schemas, and invoke tools with attacker-controlled inputs; the authors performed controlled tests (no Bedrock product flaws found), and demonstrate that enabling Bedrock pre-processing and Guardrails plus agent hardening (scoped capabilities, input validation, least privilege) mitigates the risks.