Novel attack techniques targeting the underlying infrastructure of Bedrock applications

There are many attacks, new and old, arising from the push to GenAI. In a world that encourages developers to adopt coding agents, and is shifting to AI enabled workflows, we must ask ourselves – are we handling the new security risks this introduces?

Amazon Bedrock is already being utilized across the board in all stages, from the development lifecycle up to production applications, with broad permissions over AWS resources. The rapid growth of Bedrock usage reproduces common configuration patterns that lead to data leaks, destruction, and tampering.

If you are interested in learning about novel attack methods against Bedrock applications across your AWS organization, this talk is for you. You will learn how common misconfigurations in Bedrock can lead to data exfiltration, lateral movement, and security control weakening in your AWS organization. Join us to hear more.

1. Introduction - 4 minutes

   In this introduction, we will give a quick overview of Bedrock applications and how they integrate with the AWS ecosystem. In the following sections we will demonstrate novel attack techniques against Bedrock applications and describe possible mitigations.

   AWS Bedrock has become the go-to managed AI service for enterprises who want to use GenAI in their workflow.

   Bedrock’s native integration with compute resources, application logic, serverless functions, and cloud storage makes it a capable platform for deploying foundation models at scale. Security research is focused almost exclusively on LLM-layer concerns like prompt injection and jailbreaks, leaving the infrastructure layer largely unexamined.

   We will take the audience through practical attack techniques targeting Bedrock-specific configurations and show how attackers are already exploiting the gap between “we deployed AI” and “we secured it”.

2. How companies misuse Bedrock due to misconceptions in security implementations – 1 minute

   Many companies use Bedrock with direct data access. Issues begin when they carelessly assign permissions, as permissions in Bedrock do not always act as one may think in an AWS multi-tenant environment.

3. Novel attack methods against Bedrock – 15 minutes

   a. Accessing production data from development accounts by abusing guardrails – Everyone uses guardrails in critical Bedrock applications. Guardrail permission policies may lead to data exfiltration and model abuse in unexpected ways when using common configurations.

   b. Bedrock agents can be abused as a privilege escalation method, exposing its inner workings, and silently granting privileges by exposing access keys and other credentials or secrets that it can access.

4. Conclusions & Takeaways – 5 minutes

   a. Recap of the attack techniques and mitigation methods.

   b. Takeaways for architects and security teams.