AgentCore code interpreters: what IAM teams are missing

TL;DR: AWS Bedrock AgentCore Code Interpreters can be invoked with IAM permissions and, when custom interpreters carry privileged execution roles, that access can be used to pivot into those roles and perform control plane actions, according to Sonrai Security. Existing cloud IAM patterns do not yet control this AI-centric privilege path cleanly, so organisational-level guardrails matter now.

NHIMG editorial — based on content published by Sonrai Security: AWS AgentCore, the overlooked privilege escalation path in Bedrock's AI tooling

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams govern AI tools that can act with privileged cloud roles?

A: Security teams should govern AI tools as privileged identity paths, not as harmless application components.

Q: When does an AI code interpreter become a privilege escalation risk?

A: An AI code interpreter becomes a privilege escalation risk when callers can reach it directly and the interpreter runs with permissions broader than the caller should have.

Q: What do security teams get wrong about AI tool sandboxing in cloud environments?

A: Teams often assume that sandboxing alone prevents privilege abuse, but sandboxing does not remove the interpreter’s execution role or the permissions attached to it.

Practitioner guidance

• Inventory every callable AI tool as a privileged identity path Map Bedrock AgentCore Code Interpreters and similar agent tools to the IAM permissions that invoke them, then identify the execution roles they can act under.
• Restrict interpreter execution roles to task-scoped permissions Remove broad control plane and data plane access from custom code interpreters unless the task explicitly requires it.
• Enable and monitor CloudTrail data events for interpreter use Turn on logging for InvokeCodeInterpreter and review CreateCodeInterpreter activity so that unauthorized use and risky setup patterns are visible.

What's in the full article

Sonrai Security's full blog covers the operational detail this post intentionally leaves for the source:

• The exact IAM permissions required to invoke Bedrock AgentCore Code Interpreters and how they map to the escalation path.
• Step-by-step examples of default and custom interpreter execution roles in AWS.
• The CloudTrail data event configuration needed to catch InvokeCodeInterpreter activity.
• The SCP pattern Sonrai describes for denying unintended interpreter access at the organization level.

👉 Read Sonrai Security's analysis of AWS AgentCore privilege escalation →

AgentCore code interpreters: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →