Cracks in the Bedrock: Agent God Mode

Palo Alto Networks researchers found that the Amazon Bedrock AgentCore starter toolkit auto-creates overly broad IAM roles (dubbed “Agent God Mode”) that allow an agent to pull any ECR image, read or poison any agent memory, and invoke code interpreters across an AWS account; they demonstrate a multi-stage attack (ECR token retrieval → image exfiltration → extract MemoryID → cross-agent memory compromise), disclosed to AWS, and recommend creating least-privilege custom IAM roles.