Revise AWS Bedrock AgentCore Code Interpreter documentation

AMOussama · web-flow · commit 70738d211e8e · 2026-02-12T00:06:33.000+01:00
Updated the AWS Bedrock AgentCore documentation to clarify the Code Interpreter Role Pivot technique, including details on preconditions, required IAM actions, exploitation flow, and mitigation strategies.
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md
@@ -0,0 +1,88 @@
+# AWS Bedrock AgentCore - Code Interpreter Role Pivot
+
+## Service
+
+**Amazon Bedrock AgentCore**
+
+## Technique Name
+
+**Code Interpreter Role Pivot** (Privilege escalation/lateral movement via over-privileged `executionRoleArn`)
+
+## Why this Matters
+
+Amazon Bedrock AgentCore introduced a "Code Interpreter" feature in mid-2025 that acts as a managed compute surface. It executes code within a Firecracker MicroVM-isolated environment. The critical security hook is the **`executionRoleArn`**: this is the IAM identity the interpreter uses to interact with other AWS services.
+
+When a developer grants this service-linked role excessive permissions (e.g., `s3:*`, `secretsmanager:GetSecretValue`), any user with the ability to invoke the interpreter can effectively "hijack" those permissions to move laterally or escalate privileges within the account.
+
+
+## Preconditions (The Misconfiguration)
+
+1. **Over-privileged Execution Role:** An AgentCore Code Interpreter is configured with a role that has access to sensitive data or administrative APIs.
+2. **Broad Invocation Access:** A low-privileged IAM principal is granted permission to start or interact with these sessions.
+3. **Governance Failure:** The environment is treated as "AI experimental tooling" rather than "Managed Compute," bypassing standard Least Privilege reviews.
+
+
+## Required IAM Actions
+
+To execute this pivot, an attacker needs one or more of the following `bedrock-agentcore` actions:
+
+* `bedrock-agentcore:StartCodeInterpreterSession`
+* `bedrock-agentcore:InvokeCodeInterpreter`
+* `bedrock-agentcore:CreateCodeInterpreter` (Allows creating a session with a pre-existing role)
+
+> **Note on `iam:PassRole`:** In current AWS Service Authorization References, `CreateCodeInterpreter` does not explicitly list `iam:PassRole` as a dependency in the same way `CreateGateway` does. This creates a potential "PassRole-less" role selection edge case that should be validated in target environments.
+
+
+## Exploitation Flow
+
+### 1. Reconnaissance
+
+Identify existing interpreters and their associated execution roles.
+
+```bash
+aws bedrock-agentcore-control list-code-interpreters
+aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <TARGET_ID>
+
+```
+
+### 2. Session Initiation
+
+Start a session to gain access to the compute environment.
+
+```bash
+aws bedrock-agentcore start-code-interpreter-session --code-interpreter-id <TARGET_ID>
+
+```
+
+### 3. Lateral Movement / Exfiltration
+
+Invoke the interpreter to execute Python code that uses the `executionRoleArn` credentials to access other services.
+
+```python
+import boto3
+# The interpreter uses the executionRoleArn automatically
+s3 = boto3.client('s3')
+print(s3.list_buckets())
+
+```
+
+
+## Mitigation & Detection
+
+### **Prevention**
+
+* **Apply Permission Boundaries:** Attach a boundary to the `executionRoleArn` to ensure it cannot perform IAM mutations or sensitive data deletions, regardless of its primary policy.
+* **Restrict Invocation:** Limit `StartCodeInterpreterSession` and `InvokeCodeInterpreter` to specific, authorized admin principals.
+* **Identity Scoping:** Use the `bedrock-agentcore:sessionId` and `bedrock-agentcore:actorId` condition keys to ensure sessions are isolated to specific users.
+
+### **Detection**
+
+* **CloudTrail Monitoring:** Monitor for `StartCodeInterpreterSession` events from unexpected IPs or principals.
+* **Credential Usage:** Alert on the use of AgentCore execution role credentials (detectable via the `UserAgent` or `PrincipalId` in CloudTrail) to access S3 buckets or Secrets Manager outside of normal AI operations.
+
+
+## References
+
+* [AWS CLI Reference: create-code-interpreter](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html)
+* [AWS Service Authorization: Bedrock AgentCore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html)
+* [AWS CLI: start-code-interpreter-session](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)
