Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™

Restrict Agent Action Group Lambda Functions

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the AWS Lambda functions configured as action group executors for your Amazon Bedrock agents are securely configured. Amazon Bedrock agents use action groups to carry out tasks by invoking Lambda functions that contain business logic, and the executor is defined by the "actionGroupExecutor.lambda" field of the action group, which holds the Amazon Resource Name (ARN) of the Lambda function. To limit the impact of a compromised or malicious executor, each executor Lambda function should be attached to a least-privilege IAM execution role (granting only the permissions required by the action group), and should belong to the same AWS account as the Amazon Bedrock agent so that execution is not delegated to an untrusted, externally-owned function.

Security

Lambda functions serving as action group executors for Amazon Bedrock agents run with the identity and permissions of their IAM execution role. An attacker with the "bedrock:CreateAgentActionGroup" (or "bedrock:UpdateAgentActionGroup") permission can attach a malicious executor Lambda to a legitimate agent, enabling unauthorized actions such as database modifications or user creation to be carried out under the cover of a normal AI workflow. Enforcing a least-privilege execution role limits what a compromised executor can do, and verifying that the executor belongs to your own AWS account prevents an agent from silently delegating execution to an attacker-controlled function in a different account.


Audit

To determine if the AWS Lambda functions used as executors for your Amazon Bedrock Agent action groups are securely configured, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

  3. In the main navigation panel, under Build, select Agents Classic.

  4. In the Agents Classic section, click on the name (link) of the agent that you want to examine, available in the Name column.

  5. On the agent details page, choose Edit in Agent Builder at the top of the page.

  6. In the Agent Builder, scroll down to the Action groups section to view the action groups configured for the selected agent.

  7. Click on the name (link) of the action group that you want to examine. In the Action group invocation section, identify the Lambda function associated with the action group and note the AWS account ID in the Lambda function ARN. If the account ID in the executor Lambda ARN is different from the AWS account that owns the Amazon Bedrock agent, the executor belongs to a different AWS account, therefore the action group configuration is not compliant. Click on the Lambda function name (link) to open the function in the AWS Lambda console.

  8. In the Lambda function page, select the Configuration tab, then choose Permissions from the left navigation panel and click on the name (link) of the Execution role to open it in the IAM console. Review the IAM policies attached to the role. If the execution role has the AdministratorAccess managed policy attached, or any policy statement that grants wildcard permissions (i.e. "Action": "*" and/or "Resource": "*"), the executor Lambda function does not use a least-privilege IAM role, therefore the action group configuration is not compliant.

  9. Repeat steps no. 7 and 8 for each action group configured for the selected Amazon Bedrock agent.

  10. Repeat steps no. 4 – 9 for each Bedrock agent available within the current AWS region.

  11. Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

  1. Run get-caller-identity command (OSX/Linux/UNIX) to return the ID of the AWS account that owns your Amazon Bedrock agents:

    aws sts get-caller-identity
    --query 'Account'
    
  2. The command output should return the requested AWS account ID:

    "123456789012"
    
  3. Run list-agents command (OSX/Linux/UNIX) to list the identifier (ID) of each Amazon Bedrock agent available in the selected AWS cloud region:

    aws bedrock-agent list-agents
    --region us-east-1
    --query 'agentSummaries[*].agentId'
    
  4. The command output should return the requested agent identifiers (IDs):

    [
        "ABCDACBDAB",
        "ABCABCABCA"
    ]
    
  5. Run list-agent-action-groups command (OSX/Linux/UNIX) with the agent ID and the DRAFT agent version to list the action group identifiers for the selected agent. Use DRAFT to inspect the current mutable configuration. To list published (immutable) agent versions, use the list-agent-versions command:

    aws bedrock-agent list-agent-action-groups
    --region us-east-1
    --agent-id ABCDACBDAB
    --agent-version DRAFT
    --query 'actionGroupSummaries[*].actionGroupId'
    
  6. The command output should return the requested action group identifiers (IDs):

    [
        "XYXYXYXYXY"
    ]
    
  7. Run get-agent-action-group command (OSX/Linux/UNIX) with the agent ID, agent version, and action group ID to describe the action group executor configuration and extract the Lambda function ARN:

    aws bedrock-agent get-agent-action-group
    --region us-east-1
    --agent-id ABCDACBDAB
    --agent-version DRAFT
    --action-group-id XYXYXYXYXY
    --query 'agentActionGroup.actionGroupExecutor.lambda'
    
  8. The command output should return the ARN of the Lambda function used as the action group executor:

    "arn:aws:lambda:us-east-1:210987654321:function:cc-bedrock-agent-executor"
    

    If the command output returns null or the action group uses customControl instead of a Lambda function, there is no executor Lambda function to validate for this action group. Otherwise, compare the account ID segment of the returned ARN (i.e. 210987654321) with the account ID returned at step no. 2. If the two account IDs do not match, the executor Lambda function belongs to a different AWS account, therefore the action group configuration is not compliant.

  9. Run get-function-configuration command (OSX/Linux/UNIX) using the executor Lambda function ARN as the identifier parameter and custom query filters to return the ARN of the IAM execution role attached to the function:

    aws lambda get-function-configuration
    --region us-east-1
    --function-name arn:aws:lambda:us-east-1:210987654321:function:cc-bedrock-agent-executor
    --query 'Role'
    
  10. The command output should return the ARN of the Lambda execution role:

    "arn:aws:iam::210987654321:role/cc-bedrock-agent-executor-role"
    
  11. Run list-attached-role-policies command (OSX/Linux/UNIX) using the name of the execution role (i.e. the part of the role ARN that follows role/) as the identifier parameter to list the managed policies attached to the role:

    aws iam list-attached-role-policies
    --role-name cc-bedrock-agent-executor-role
    --query 'AttachedPolicies[*].PolicyArn'
    
  12. The command output should return the ARNs of the attached managed policies:

    [
        "arn:aws:iam::aws:policy/AdministratorAccess"
    ]
    

    If the execution role has the AdministratorAccess managed policy attached (as shown in the example above), the executor Lambda function does not use a least-privilege IAM role, therefore the action group configuration is not compliant.

    Note: list-attached-role-policies only returns managed policies. A role with no managed policies attached (an empty array result) can still be non-compliant if it has an inline policy that grants wildcard permissions — always continue to steps 13-14 below to check inline policies as well.

  13. Run list-role-policies command (OSX/Linux/UNIX) using the name of the execution role as the identifier parameter to list the names of any inline policies defined directly on the role:

    aws iam list-role-policies
    --role-name cc-bedrock-agent-executor-role
    --query 'PolicyNames'
    

    The command output should return an array of inline policy names (an empty array means no inline policies are defined for the role):

    [
        "cc-bedrock-agent-executor-wildcard-policy"
    ]
    
  14. Run get-role-policy command (OSX/Linux/UNIX) using the execution role name and each inline policy name returned at the previous step to retrieve the policy document:

    aws iam get-role-policy
    --role-name cc-bedrock-agent-executor-role
    --policy-name cc-bedrock-agent-executor-wildcard-policy
    --query 'PolicyDocument'
    

    The command output should return the inline policy document:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*"
            }
        ]
    }
    

    If any inline policy statement grants wildcard permissions (i.e. "Action": "*" and/or "Resource": "*"), the executor Lambda function does not use a least-privilege IAM role, therefore the action group configuration is not compliant, even if list-attached-role-policies returned an empty array.

  15. Repeat steps no. 7 – 14 for each action group configured for the selected Amazon Bedrock agent.

  16. Repeat steps no. 5 – 15 for each Amazon Bedrock agent available in the selected AWS region.

  17. Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 3 – 16 to perform the Audit process for other regions.

Remediation / Resolution

To securely configure the AWS Lambda functions used as executors for your Amazon Bedrock Agent action groups, attach a least-privilege IAM execution role and ensure the executor belongs to your own AWS account, by performing the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Open the Functions page of the Lambda console and click on the name (link) of the Lambda function used by your Bedrock Agent action group (see Audit section part I to identify the right resource).

  3. Select the Configuration tab, then choose Permissions from the left navigation panel and click on the name (link) of the Execution role to open it in the IAM console.

  4. In the IAM console, detach the AdministratorAccess managed policy (or any overly permissive policy) from the role, and attach a scoped-down policy that grants only the permissions required by the action group.

  5. Repeat steps no. 2 – 4 for each Lambda function used by your Amazon Bedrock Agent action groups within the current AWS region.

  6. Change the AWS cloud region from the navigation bar to repeat the Remediation process for other regions.

Using AWS CLI

  1. Run detach-role-policy command (OSX/Linux/UNIX) using the name of the Lambda execution role that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right resource), to remove the overly permissive managed policy (e.g. AdministratorAccess) from the role (the command does not produce an output):

    aws iam detach-role-policy
    --role-name cc-bedrock-agent-executor-role
    --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
    
  2. Run put-role-policy command (OSX/Linux/UNIX) to attach a least-privilege inline policy that grants only the permissions required by the action group (replace the example policy document with a scoped-down policy for your use case; the command does not produce an output):

    aws iam put-role-policy
    --role-name cc-bedrock-agent-executor-role
    --policy-name cc-bedrock-agent-executor-least-privilege
    --policy-document file://least-privilege-policy.json
    
  3. Repeat steps no. 1 and 2 for each Lambda function used by your Amazon Bedrock Agent action groups in the selected AWS region.

  4. Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Jul 10, 2026