Cross-Service Confused Deputy Prevention

Risk Level: High (not acceptable risk)

To protect your Amazon Bedrock service roles from the confused deputy problem, ensure that cross-service confused deputy prevention is implemented for the role policies. The confused deputy problem is a security issue where an entity lacking permission to perform an action manipulates a more-privileged entity into executing the action on its behalf. In AWS, this can occur through cross-service impersonation, where one service (the calling service) invokes another service (the called service). The calling service can be exploited to use its permissions to access another customer's resources, which it should not have the authority to do. To mitigate this risk, AWS provides tools to protect your data across all services with service principals that have access to your resources. AWS recommend using the "aws:SourceArn" and "aws:SourceAccount" global condition context keys in role policies to limit the permissions that Amazon Bedrock gives another service to the resource. Use "aws:SourceArn" if you want only one resource to be associated with the cross-service access. Use "aws:SourceAccount" if you want to allow any cloud resource in that AWS account to be associated with the cross-service use.

Security

Protecting AWS resources against the confused deputy problem is crucial because this security vulnerability can allow a malicious user to trick a service with higher privileges into performing unauthorized actions on their behalf, potentially leading to data breaches, unauthorized access, or resource manipulation.

AWS employs IAM service roles for various Bedrock resources, including agents, knowledge bases, prompt flows, model customization jobs, and Bedrock Studio workspaces. These roles enable Amazon Bedrock to carry out tasks for you. As an example, the Audit and Remediation steps outlined on this KB page utilize service roles associated with Amazon Bedrock agents.

Audit

To determine if the trust relationship policies configured for your Amazon Bedrock service roles protect against the confused deputy problem, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, under Builder tools, select Agents.

04 In the Agents section, click on the name (link) of the agent that you want to examine, available in the Name column.

05 In the Agent overview section, click on the ARN (link) of the IAM service role associated with the selected agent, listed under Permissions.

06 Select the Trust relationships tab to access the trust relationship policy configured for the selected IAM role.

07 In the Trusted entities section, ensure that the "Condition" element contains the "aws:SourceArn" and "aws:SourceAccount" condition context keys, i.e. "Condition":{"StringEquals": {"aws:SourceAccount":"\<aws-account-id\>"},"ArnLike":{"aws:SourceArn": "arn:aws:bedrock:us-east-1:\<aws-account-id\>:agent/*"}}. If the "Condition" element does not contain the "aws:SourceArn" and "aws:SourceAccount" context keys or the "Condition" element is not present in the trust policy, cross-service confused deputy prevention is not implemented for the service role associated with the selected Amazon Bedrock agent.

08 Repeat steps no. 4 - 7 for each Bedrock agent available within the current AWS region.

09 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

01 Run list-agents command (OSX/Linux/UNIX) to list the identifier (ID) of each Amazon Bedrock agent available in the selected AWS cloud region:

aws bedrock-agent list-agents
  --region us-east-1
  --query 'agentSummaries[*].agentId'

02 The command output should return the requested agent identifiers (IDs):

[
	"ABCDACBDAB",
	"ABCABCABCA"
]

03 Run get-agent command (OSX/Linux/UNIX) with the ID of the Amazon Bedrock agent that you want to examine as the identifier parameter and custom output filters to describe the Amazon Resource Name (ARN) of the IAM service role attached to the selected agent:

aws bedrock-agent get-agent
  --region us-east-1
  --agent-id ABCDACBDAB
  --query 'agent.agentResourceRoleArn'

04 The command output should return the ARN of the associated IAM service role:

"arn:aws:iam::123456789012:role/service-role/tm-bedrock-service-role"

05 Run get-role command (OSX/Linux/UNIX) using the name of the Amazon Bedrock service role that you want to examine as the identifier parameter and custom output filters to describe the trust relationship policy configured for the selected IAM role:

aws iam get-role
  --role-name tm-bedrock-service-role
  --query 'Role.AssumeRolePolicyDocument'

06 The command output should return the requested trust relationship policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "bedrock.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

Identify the "Condition" element within the policy document returned by the get-role command output. Ensure that the "Condition" element contains the "aws:SourceArn" and "aws:SourceAccount" condition context keys, i.e. "Condition":{"StringEquals": {"aws:SourceAccount":"\<aws-account-id\>"},"ArnLike":{"aws:SourceArn": "arn:aws:bedrock:us-east-1:\<aws-account-id\>:agent/*"}}. If the "Condition" element does not contain the "aws:SourceArn" and "aws:SourceAccount" context keys or the "Condition" element is not present in the trust policy, cross-service confused deputy prevention is not implemented for the service role associated with the selected Amazon Bedrock agent.

07 Repeat steps no. 3 - 6 for each Amazon Bedrock agent available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Audit process for other regions.

Remediation / Resolution

The most effective way to protect against the confused deputy problem is to use the "aws:SourceArn" condition context key with the full ARN of the Amazon Bedrock resource. If you don't know the full ARN of the Bedrock resource or if you need to specify multiple Bedrock resources, use the "aws:SourceArn" key with wildcards (i.e. *) for the unknown portions of the ARN. For example, "arn:aws:bedrock:\<aws-region\>:\<aws-account-id\>:agent/*". To update the trust relationship policies configured for your Amazon Bedrock service roles in order to implement cross-service confused deputy prevention, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, under Builder tools, select Agents.

04 In the Agents section, click on the name (link) of the agent that you want to configure, available in the Name column.

05 In the Agent overview section, click on the ARN (link) of the IAM service role associated with the selected agent, listed under Permissions.

06 Select the Trust relationships tab and choose Edit trust policy to edit the trust relationship policy configured for the selected IAM role.

07 Make use of the "aws:SourceArn" and "aws:SourceAccount" global condition context keys to prevent the confused deputy problem. In the Edit trust policy section, add the necessary "Condition" element with the "aws:SourceArn" and "aws:SourceAccount" keys, as shown in the example below, then choose Update policy to apply the changes. Replace \<aws-account-id\> and \<aws-region\> with your own information:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "bedrock.amazonaws.com"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"aws:SourceAccount": "<aws-account-id>"
				},
				"ArnLike": {
					"aws:SourceArn": "arn:aws:bedrock:<aws-region>:<aws-account-id>:agent/*"
				}
			}
		}
	]
}

08 Repeat steps no. 4 - 7 for each Bedrock agent that you want to configure, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar to repeat the Remediation process for other regions.

Using AWS CLI

01 Modify the trust relationship policy associated with the service role to use the "aws:SourceArn" and "aws:SourceAccount" global condition context keys in order to prevent the confused deputy problem, as shown in the example below. Save the modified policy document to a JSON file named tm-trust-policy.json. Replace \<aws-account-id\> and \<aws-region\> with your own information:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "bedrock.amazonaws.com"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"aws:SourceAccount": "<aws-account-id>"
				},
				"ArnLike": {
					"aws:SourceArn": "arn:aws:bedrock:<aws-region>:<aws-account-id>:agent/*"
				}
			}
		}
	]
}

02 Run update-assume-role-policy command (OSX/Linux/UNIX) using the name of the Amazon Bedrock service role that you want to configure as the identifier parameter, to update the trust relationship policy configured for the selected IAM role with the policy defined at the previous step (i.e. tm-trust-policy.json):

aws iam update-assume-role-policy
  --role-name tm-bedrock-service-role
  --policy-document file://tm-trust-policy.json

03 Repeat steps no. 1 and 2 for each Bedrock agent that you want to configure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
list-agents
get-agent
get-role
update-assume-role-policy

Publication date Jul 24, 2024

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Bedrock rules