Amazon Web Services (AWS) has launched Bedrock, a platform designed for developing AI-powered applications, granting developers access to foundation models and the essential tools for directly integrating those models with enterprise data and systems. While this connectivity amplifies its capabilities, it simultaneously exposes Bedrock to various security threats.
When an AI agent gains the ability to interact with systems such as Salesforce, execute Lambda functions, or access a SharePoint knowledge base, it essentially becomes an integral part of an organization’s infrastructure. This integration grants it permissions and paths to critical assets, making it a valuable target for cyber attackers. Recent research conducted by the XM Cyber threat team systematically outlines eight distinct attack vectors that can be exploited within Bedrock environments. These vectors encompass methods like log manipulation, knowledge base breaches, agent hijacking, flow injection, degradation of defenses, and prompt poisoning.
The threat research team carried out an in-depth analysis of Bedrock’s architecture and workflows, revealing that each attack vector often begins with low-level permissions and may culminate in unauthorized access to sensitive areas. The first of these vectors, Model Invocation Log Attacks, highlights a potential area of exploitation wherein attackers can manipulate logs for nefarious purposes. By gaining access to the S3 bucket that contains these logs or employing specific permissions to redirect them, attackers can harvest sensitive information and eliminate data trails linked to their invasive actions.
Another concerning avenue revolves around Knowledge Base Attacks, specifically targeting the data source and the data store. Bedrock connects foundational models to proprietary data through a process known as Retrieval Augmented Generation (RAG). An attacker with access to these underlying data sources, which may include S3 buckets or Salesforce instances, can bypass the models and pull raw data directly. Furthermore, if an attacker is granted permissions to retrieve and decrypt credentials, they may subsequently acquire keys used for connecting integrated SaaS services.
Agent Attacks constitute yet another significant threat, categorized into direct and indirect methodologies. Direct Agent Attacks enable an intruder to overwrite an agent’s prompt and instructions, which can lead to malicious outputs. Meanwhile, indirect attacks may exploit Lambda functions by implementing harmful code in order to manipulate AI workflows for data exfiltration or undesirable content generation.
Flow Attacks present a unique challenge as attackers can inject components into workflows, redirecting sensitive data without breaking the application’s logic. Additionally, Guardrail Attacks allow malicious actors to degrade the very filters designed to protect against toxic content, effectively making it easier for AI models to be manipulated. Lastly, Managed Prompt Attacks involve the alteration of centralized templates, injecting malicious instructions that can subvert entire application environments without triggering redeployment processes, complicating detection efforts.
The overarching implication for security teams is the realization that these vulnerabilities often stem from flaws in permissions, configurations, and integrations rather than the models themselves. A lone over-privileged identity can set the stage for catastrophic repercussions, including but not limited to, redirecting logs or hijacking agents to access crucial systems. Effective security for Bedrock necessitates a thorough understanding of AI workloads and their associated permissions, alongside comprehensive strategies for identifying potential attack paths across both cloud and on-premises environments.
For cybersecurity leaders seeking to delve deeper into these attack vectors, including architectural diagrams and best practices, a complete research report is available for download, offering valuable insights into safeguarding AI applications within AWS Bedrock.
Note: This article was contributed by Eli Shparaga, a Security Researcher at XM Cyber, specifically for our audience.