mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-12 07:40:49 -08:00
reorg bedrock
This commit is contained in:
carlospolop
@@ -248,6 +248,7 @@
|
||||
- [AWS - STS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence/README.md)
|
||||
- [AWS - Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/README.md)
|
||||
- [AWS - API Gateway Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation/README.md)
|
||||
- [AWS - Bedrock Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-bedrock-post-exploitation/README.md)
|
||||
- [AWS - CloudFront Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation/README.md)
|
||||
- [AWS - CodeBuild Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md)
|
||||
- [AWS Codebuild - Token Leakage](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md)
|
||||
@@ -361,7 +362,7 @@
|
||||
- [AWS - Trusted Advisor Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md)
|
||||
- [AWS - WAF Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md)
|
||||
- [AWS - API Gateway Enum](pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md)
|
||||
- [Aws Bedrock Agents Memory Poisoning](pentesting-cloud/aws-security/aws-services/aws-bedrock-agents-memory-poisoning.md)
|
||||
- [AWS - Bedrock Enum](pentesting-cloud/aws-security/aws-services/aws-bedrock-enum.md)
|
||||
- [AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)](pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md)
|
||||
- [AWS - CloudFormation & Codestar Enum](pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md)
|
||||
- [AWS - CloudHSM Enum](pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md)
|
||||
|
||||
@@ -1,14 +1,17 @@
|
||||
# AWS - Bedrock Agents Memory Poisoning (Indirect Prompt Injection)
|
||||
# AWS - Bedrock Post Exploitation
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Overview
|
||||
|
||||
## AWS - Bedrock Agents Memory Poisoning (Indirect Prompt Injection)
|
||||
|
||||
### Overview
|
||||
|
||||
Amazon Bedrock Agents with Memory can persist summaries of past sessions and inject them into future orchestration prompts as system instructions. If untrusted tool output (for example, content fetched from external webpages, files, or third‑party APIs) is incorporated into the input of the Memory Summarization step without sanitization, an attacker can poison long‑term memory via indirect prompt injection. The poisoned memory then biases the agent’s planning across future sessions and can drive covert actions such as silent data exfiltration.
|
||||
|
||||
This is not a vulnerability in the Bedrock platform itself; it’s a class of agent risk when untrusted content flows into prompts that later become high‑priority system instructions.
|
||||
|
||||
## How Bedrock Agents Memory works (relevant pieces)
|
||||
### How Bedrock Agents Memory works
|
||||
|
||||
- When Memory is enabled, the agent summarizes each session at end‑of‑session using a Memory Summarization prompt template and stores that summary for a configurable retention (up to 365 days). In later sessions, that summary is injected into the orchestration prompt as system instructions, strongly influencing behavior.
|
||||
- The default Memory Summarization template includes blocks like:
|
||||
@@ -17,14 +20,14 @@ This is not a vulnerability in the Bedrock platform itself; it’s a class of ag
|
||||
- Guidelines require strict, well‑formed XML and topics like "user goals" and "assistant actions".
|
||||
- If a tool fetches untrusted external data and that raw content is inserted into $conversation$ (specifically the tool’s result field), the summarizer LLM may be influenced by attacker‑controlled markup and instructions.
|
||||
|
||||
## Attack surface and preconditions
|
||||
### Attack surface and preconditions
|
||||
|
||||
An agent is exposed if all are true:
|
||||
- Memory is enabled and summaries are reinjected into orchestration prompts.
|
||||
- The agent has a tool that ingests untrusted content (web browser/scraper, document loader, third‑party API, user‑generated content) and injects the raw result into the summarization prompt’s `<conversation>` block.
|
||||
- Guardrails or sanitization of delimiter‑like tokens in tool outputs are not enforced.
|
||||
|
||||
## Injection point and boundary‑escape technique
|
||||
### Injection point and boundary‑escape technique
|
||||
|
||||
- Precise injection point: the tool’s result text that is placed inside the Memory Summarization prompt’s `<conversation> ... $conversation$ ... </conversation>` block.
|
||||
- Boundary escape: a 3‑part payload uses forged XML delimiters to trick the summarizer into treating attacker content as if it were template‑level system instructions instead of conversation content.
|
||||
@@ -61,13 +64,13 @@ Notes:
|
||||
|
||||
</details>
|
||||
|
||||
## Why it persists and how it triggers
|
||||
### Why it persists and how it triggers
|
||||
|
||||
- The Memory Summarization LLM may include attacker instructions as a new topic (for example, "validation goal"). That topic is stored in the per‑user memory.
|
||||
- In later sessions, the memory content is injected into the orchestration prompt’s system‑instruction section. System instructions strongly bias planning. As a result, the agent may silently call a web‑fetching tool to exfiltrate session data (for example, by encoding fields in a query string) without surfacing this step in the user‑visible response.
|
||||
|
||||
|
||||
## Reproducing in a lab (high level)
|
||||
### Reproducing in a lab (high level)
|
||||
|
||||
- Create a Bedrock Agent with Memory enabled and a web‑reading tool/action that returns raw page text to the agent.
|
||||
- Use default orchestration and memory summarization templates.
|
||||
@@ -0,0 +1,15 @@
|
||||
# AWS - Bedrock
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Overview
|
||||
|
||||
Amazon Bedrock is a fully managed service that makes it easy to build and scale generative AI applications using foundation models (FMs) from leading AI startups and Amazon. Bedrock provides access to various FMs through a single API, allowing developers to choose the most suitable model for their specific use cases without managing the underlying infrastructure.
|
||||
|
||||
## Post Exploitation
|
||||
|
||||
{{#ref}}
|
||||
../../aws-post-exploitation/aws-bedrock-post-exploitation/README.md
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
Reference in New Issue
Block a user