Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AgentCore code interpreters: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AWS Bedrock AgentCore Code Interpreters can be invoked with IAM permissions and, when custom interpreters carry privileged execution roles, that access can be used to pivot into those roles and perform control plane actions, according to Sonrai Security. Existing cloud IAM patterns do not yet control this AI-centric privilege path cleanly, so organisational-level guardrails matter now.

NHIMG editorial — based on content published by Sonrai Security: AWS AgentCore, the overlooked privilege escalation path in Bedrock's AI tooling

By the numbers:

Questions worth separating out

Q: How should security teams govern AI tools that can act with privileged cloud roles?

A: Security teams should govern AI tools as privileged identity paths, not as harmless application components.

Q: When does an AI code interpreter become a privilege escalation risk?

A: An AI code interpreter becomes a privilege escalation risk when callers can reach it directly and the interpreter runs with permissions broader than the caller should have.

Q: What do security teams get wrong about AI tool sandboxing in cloud environments?

A: Teams often assume that sandboxing alone prevents privilege abuse, but sandboxing does not remove the interpreter’s execution role or the permissions attached to it.

Practitioner guidance

  • Inventory every callable AI tool as a privileged identity path Map Bedrock AgentCore Code Interpreters and similar agent tools to the IAM permissions that invoke them, then identify the execution roles they can act under.
  • Restrict interpreter execution roles to task-scoped permissions Remove broad control plane and data plane access from custom code interpreters unless the task explicitly requires it.
  • Enable and monitor CloudTrail data events for interpreter use Turn on logging for InvokeCodeInterpreter and review CreateCodeInterpreter activity so that unauthorized use and risky setup patterns are visible.

What's in the full article

Sonrai Security's full blog covers the operational detail this post intentionally leaves for the source:

  • The exact IAM permissions required to invoke Bedrock AgentCore Code Interpreters and how they map to the escalation path.
  • Step-by-step examples of default and custom interpreter execution roles in AWS.
  • The CloudTrail data event configuration needed to catch InvokeCodeInterpreter activity.
  • The SCP pattern Sonrai describes for denying unintended interpreter access at the organization level.

👉 Read Sonrai Security's analysis of AWS AgentCore privilege escalation →

AgentCore code interpreters: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI-centric tools become part of the identity plane the moment they can invoke privileged actions. This article shows that a code interpreter is not a neutral runtime helper once IAM permissions and execution roles are involved. The control boundary shifts from the agent to the tool, which means identity governance must cover the tool surface as well as the agent runtime. The practitioner conclusion is simple: if a tool can act with role privilege, it must be governed as privileged identity infrastructure.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when a privileged AI tool is invoked outside its intended scope?

A: Accountability sits with the teams that own IAM policy, platform guardrails, and the tool’s execution role, because those controls determine whether the invocation path exists. If logging is not enabled or resource-level controls are unavailable, the governance gap becomes organizational, not just technical. Frameworks such as Zero Trust and privileged access governance should cover the tool path itself.

👉 Read our full editorial: AWS AgentCore code interpreters expose an AI role escalation path



   
ReplyQuote
Share: