Skip to content

feat(bedrock): add AgentCore Runtime, Harness and Browser paths#30

Open
MrCloudSec wants to merge 1 commit into
DataDog:mainfrom
MrCloudSec:feat/agentcore-privesc-paths
Open

feat(bedrock): add AgentCore Runtime, Harness and Browser paths#30
MrCloudSec wants to merge 1 commit into
DataDog:mainfrom
MrCloudSec:feat/agentcore-privesc-paths

Conversation

@MrCloudSec

@MrCloudSec MrCloudSec commented Jun 15, 2026

Copy link
Copy Markdown

What type of PR is this? (check all applicable)

  • New Path
  • Add / Update / Fix info within an existing path
  • New Feature / Major Change / Refactor / Optimization
  • Non path based documentation Update (Readme, etc)

Description

  • Adds 5 privilege escalation paths for Amazon Bedrock AgentCore: Runtime, Harness and Custom Browser (existing and create variants). Code Interpreter is already covered by
    bedrock-001/bedrock-002.
  • Based on Phantom Labs research: Mapping Every Privilege Escalation Path in AWS AgentCore (BeyondTrust).
  • Each resource serves its execution role credentials from MMDS (169.254.169.254) inside a Firecracker microVM; the attacker reaches it via an existing resource (fewer permissions) or a new one
    (iam:PassRole + a Create* chain).
ID Category Required permissions
bedrock-003 new-passrole iam:PassRole + CreateAgentRuntime + CreateAgentRuntimeEndpoint + CreateWorkloadIdentity + InvokeAgentRuntimeCommand (Runtime, create)
bedrock-004 existing-passrole InvokeAgentRuntimeCommand (Runtime and Harness, existing)
bedrock-005 new-passrole iam:PassRole + CreateHarness + CreateAgentRuntime + CreateAgentRuntimeEndpoint + CreateWorkloadIdentity + GetAgentRuntime + InvokeAgentRuntimeCommand (Harness, create)
bedrock-006 new-passrole iam:PassRole + CreateBrowser + StartBrowserSession + ConnectBrowserAutomationStream (Browser, create)
bedrock-007 existing-passrole StartBrowserSession + ConnectBrowserAutomationStream (Browser, existing)
  • Runtime-existing and Harness-existing share InvokeAgentRuntimeCommand, so they are one path (bedrock-004); its additional perms (ListAgentRuntimes, ListHarnesses) cover both.

How to reproduce and testing

See the Adding a New Privilege Escalation Path section of our Contributing Guide to see how to test your changes locally.

@MrCloudSec MrCloudSec force-pushed the feat/agentcore-privesc-paths branch from 24d1568 to a169f2a Compare June 15, 2026 20:43
@sethsec sethsec self-assigned this Jun 17, 2026
@sethsec

sethsec commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Hey just wanted to drop a note that i am looking at these... I'm just in the processing of adding them to pathfinding-labs to confirm i can reproduce them

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sethsec sethsec Awaiting requested review from sethsec sethsec is a code owner
@christophetd christophetd Awaiting requested review from christophetd christophetd is a code owner
@raesene raesene Awaiting requested review from raesene raesene is a code owner
@andrewkrug andrewkrug Awaiting requested review from andrewkrug andrewkrug is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@sethsec sethsec

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MrCloudSec @sethsec