Bedrock 'Agent God Mode'

An Amazon Bedrock agent is supposed to be a software clerk: you give it a model, a few data sources, and a list of allowed actions, and it carries out tasks inside Amazon Web Services on your behalf. Amazon’s own documentation says these agents run through service roles, which are permission bundles that let Bedrock call other services for you. (docs.aws.amazon.com) Those permission bundles are the cloud version of a building badge. If the badge opens one office, the agent can do one job; if the badge opens every floor, the agent can wander into places its owner never meant to expose. (docs.aws.amazon.com) Amazon Bedrock can create those roles automatically in the console, or teams can supply their own custom role. Amazon also warns that when a user is allowed to pass a role to Bedrock, that role must not have more permissions than intended, because the service can act with that role’s rights. (docs.aws.amazon.com) Unit 42 said on April 8, 2026 that this setup can produce what it calls “Agent God Mode” in Amazon Bedrock AgentCore. Its claim is not that Bedrock suddenly breaks encryption or jumps accounts by magic, but that broad Identity and Access Management permissions can let an agent chain together legitimate powers until it reaches data or privileges it should not have had. (unit42.paloaltonetworks.com) Amazon Bedrock AgentCore is the lower-level runtime layer behind agentic workloads, and Amazon says it supports both service roles and service-linked roles. Amazon’s documentation lists built-in AgentCore roles for network interfaces, runtime identity tokens, and private connectivity, which shows how many separate cloud controls can sit behind one “agent” button in the console. (docs.aws.amazon.com) That matters because modern agents do not just answer questions. Amazon describes Bedrock agents as systems that can invoke models, read from Amazon Simple Storage Service buckets, query knowledge bases, call Amazon Lambda functions, and collaborate with other agents when multi-agent mode is enabled. (docs.aws.amazon.com) Once an agent can touch several services, a small permission mistake stops being small. A role that can read one bucket, invoke one function, and query one knowledge base can become a bridge that moves data from one service to another, even if no human user ever had a single screen showing all of that access at once. (docs.aws.amazon.com) Amazon’s own sample policies show how easy it is to start broad: one official example grants Bedrock agent permissions on `Resource: "*"`, and the documentation says teams can narrow that later by omitting actions or specifying resources and conditions. In practice, “narrow it later” is how many cloud environments end up carrying wide permissions into production. (docs.aws.amazon.com) This is the second Bedrock warning Unit 42 published in one week. On April 7, 2026, the same team said it found a way to bypass AgentCore Code Interpreter network isolation through Domain Name System tunneling, which means the permission story is landing alongside a separate report about data leaving a supposedly fenced-off sandbox. (unit42.paloaltonetworks.com) Unit 42 had already made the same point from another angle on April 3, 2026, when it showed that multi-agent Bedrock applications create extra paths for abuse through inter-agent communication. In that earlier report, the researchers said they did not find a vulnerability in Bedrock itself, but they did show how orchestration features expand the number of places where one compromised component can influence another. (unit42.paloaltonetworks.com) The practical fix is boring and specific. Teams need to replace wildcard permissions with tightly scoped roles, limit who can pass roles into Bedrock, audit which agent can reach which bucket or function, and treat every new tool connection as a new hallway key instead of “just one more feature.” (docs.aws.amazon.com) The bigger lesson is that an artificial intelligence agent in the cloud is not one thing. It is a language model, plus a role, plus storage, plus functions, plus network paths, and if those pieces are stitched together carelessly, the agent does not need a software bug to become dangerous. (docs.aws.amazon.com)