We Found Eight Attack Vectors Inside AWS Bedrock. Here’s What Attackers Can Do with Them

AWS Bedrock, Amazon’s platform for building AI-powered applications, provides access to foundation models and tools that connect them directly to enterprise systems like Salesforce, Lambda, and SharePoint. While this integration empowers developers, it also opens multiple attack surfaces that malicious actors can exploit.

Researchers at XM Cyber have identified eight validated attack vectors that attackers can leverage to compromise Bedrock environments, ranging from log manipulation and knowledge base theft to agent hijacking, flow injection, guardrail bypassing, and prompt poisoning.

The Eight Bedrock Attack Vectors

1. Model Invocation Log Attacks – Attackers can redirect or read logs containing sensitive prompts or delete them entirely to erase evidence of exploitation.
2. Knowledge Base Attacks – Data Source – Exploiting access to S3, Salesforce, SharePoint, or Confluence, attackers can bypass models and retrieve raw enterprise data. Stolen credentials may allow lateral movement within connected systems, such as Active Directory.
3. Knowledge Base Attacks – Data Store – Accessing vector databases or AWS-native stores (Aurora, Redshift) via intercepted credentials enables full control over ingested and indexed knowledge.
4. Direct Agent Attacks – Unauthorized updates to Bedrock Agents can rewrite prompts, attach malicious executors, or perform database modifications, all under the guise of legitimate AI workflows.
5. Indirect Agent Attacks – Attackers can compromise Lambda functions that agents rely on, injecting malicious code or dependencies to exfiltrate data and manipulate AI responses.
6. Flow Attacks – Bedrock Flows orchestrate model task sequences. Attackers with flow update permissions can insert malicious nodes, bypass authorization checks, or re-encrypt data with their keys.
7. Guardrail Attacks – Modifying or deleting content and safety guardrails can weaken model protections, making AI agents more susceptible to prompt injection or PII leakage.
8. Managed Prompt Attacks – Attackers can modify prompt templates centrally, injecting malicious instructions that subvert AI behavior across all connected workflows without triggering redeployment.

Key Takeaways for Security Teams

These attack vectors emphasize that attackers rarely need to compromise the model itself—over-privileged identities and misconfigured integrations are sufficient to hijack AI workflows, access sensitive data, and reach critical enterprise systems.

Security teams should:

• Audit AI workloads and their permissions.
• Map attack paths across cloud and on-premises environments.
• Enforce strict posture management on agents, flows, guardrails, and prompt management systems.

For a full technical breakdown, including architectural diagrams and best practices, XM Cyber recommends reviewing the complete research: Building and Scaling Secure Agentic AI Applications in AWS Bedrock.