Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Cross-Service Confused Deputy Prevention for AgentCore

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that IAM role trust policies used by Amazon Bedrock AgentCore implement cross-service confused deputy prevention by including the aws:SourceArn and/or aws:SourceAccount global condition context keys. The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action on its behalf. In AWS, cross-service impersonation can result in the confused deputy problem when one service (the calling service) calls another service (the called service), and the calling service is manipulated into using its permissions to act on another customer's resources.

When Amazon Bedrock AgentCore assumes an IAM role to interact with other AWS services on your behalf, it acts as the service principal bedrock-agentcore.amazonaws.com. Without proper conditions in the trust policy, a malicious actor could potentially trick the AgentCore service into assuming your IAM role and performing operations on resources it should not have access to. By adding aws:SourceArn and aws:SourceAccount condition keys to the trust policy's sts:AssumeRole statement, you ensure that only AgentCore resources within your specific account and ARN scope can assume the role, preventing unauthorized cross-account or cross-resource impersonation.

The aws:SourceArn condition key restricts role assumption to a specific AgentCore resource ARN (or ARN pattern), while aws:SourceAccount ensures that only your account can trigger the role assumption via the AgentCore service. Using both keys together provides the strongest protection. If you do not know the full ARN, you may use wildcard characters — for example, arn:aws:bedrock-agentcore:us-east-1:123456789012:* — to constrain access to all AgentCore resources within your account and region.

Security

Without cross-service confused deputy prevention, IAM trust policies that allow bedrock-agentcore.amazonaws.com to assume a role without condition constraints are vulnerable to confused deputy attacks. A malicious actor could craft a scenario in which the AgentCore service is used as an intermediary to assume your IAM role and access or modify resources that the attacker cannot directly reach. This can result in unauthorized data access, privilege escalation, and potential data exfiltration from AWS services that your AgentCore execution role has permissions to access. The impact is particularly severe because AgentCore execution roles often carry broad permissions to interact with AWS services such as S3, DynamoDB, Lambda, and others.

Adding aws:SourceArn and aws:SourceAccount conditions to trust policies is a zero-cost, low-complexity security control that eliminates an entire class of cross-service privilege escalation attacks. This aligns with AWS security best practices and the principle of least privilege, ensuring that the AgentCore service can only assume your role when acting on behalf of your own resources within your own account.

Audit

To determine if IAM roles used by Amazon Bedrock AgentCore implement cross-service confused deputy prevention, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM console available at https://console.aws.amazon.com/iam/.

03 In the left navigation pane, choose Roles.

04 In the Search box, type bedrock-agentcore to filter roles associated with the AgentCore service.

05 Select a role from the results by clicking on its name (e.g., cc-agentcore-execution-role).

06 On the role details page, choose the Trust relationships tab.

07 In the Trusted entities section, review the trust policy document.

08 Check if the trust policy contains a statement where Principal.Service is bedrock-agentcore.amazonaws.com with Action: sts:AssumeRole.

09 Within that statement, check if a Condition block is present and includes both:

  • An ArnLike condition with aws:SourceArn specifying your AgentCore resource ARN(s), and
  • A StringEquals condition with aws:SourceAccount specifying your AWS account ID.

10 If the trust policy allows bedrock-agentcore.amazonaws.com to assume the role without aws:SourceArn and aws:SourceAccount conditions, the role is not protected against confused deputy attacks.

11 Repeat steps no. 5 – 10 for each IAM role associated with Amazon Bedrock AgentCore available in your account.

12 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) to list all IAM roles in your AWS account: 

aws iam list-roles
	--query 'Roles[*].RoleName'
	--output text

02 The command output should return a list of role names. To filter for roles with a bedrock-agentcore trust relationship, run the following command: 

aws iam list-roles
	--query 'Roles[?contains(AssumeRolePolicyDocument.Statement[].Principal.Service, `bedrock-agentcore.amazonaws.com`)].RoleName'

03 Run get-role command (OSX/Linux/UNIX) with the name of the IAM role that you want to examine as the identifier parameter to retrieve its trust policy: 

aws iam get-role
	--role-name cc-agentcore-execution-role
	--query 'Role.AssumeRolePolicyDocument'

04 The command output should return the trust policy document. Examine the output to check for aws:SourceArn and aws:SourceAccount condition keys: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "bedrock-agentcore.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

If the trust policy does not include a Condition block with aws:SourceArn and aws:SourceAccount, as shown in the example above, the selected IAM role is not protected against cross-service confused deputy attacks.

05 Repeat steps no. 3 and 4 for each IAM role associated with Amazon Bedrock AgentCore in your account.

Remediation / Resolution

To implement cross-service confused deputy prevention for IAM roles used by Amazon Bedrock AgentCore, perform the following operations:

Using AWS CloudFormation

01 Use the following AWS CloudFormation template to create or update an IAM role with confused deputy prevention in JSON format: 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "IAM role for Amazon Bedrock AgentCore with confused deputy prevention",
	"Resources": {
		"AgentCoreExecutionRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "cc-agentcore-execution-role",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "AssumeRolePolicy",
							"Effect": "Allow",
							"Principal": {
								"Service": "bedrock-agentcore.amazonaws.com"
							},
							"Action": "sts:AssumeRole",
							"Condition": {
								"StringEquals": {
									"aws:SourceAccount": "123456789012"
								},
								"ArnLike": {
									"aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:*"
								}
							}
						}
					]
				},
				"Description": "Execution role for Amazon Bedrock AgentCore with confused deputy prevention"
			}
		}
	}
}

02 Use the following AWS CloudFormation template in YAML format: 

AWSTemplateFormatVersion: "2010-09-09"
Description: IAM role for Amazon Bedrock AgentCore with confused deputy prevention

Resources:
AgentCoreExecutionRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: cc-agentcore-execution-role
	Description: Execution role for Amazon Bedrock AgentCore with confused deputy prevention
	AssumeRolePolicyDocument:
		Version: "2012-10-17"
		Statement:
		- Sid: AssumeRolePolicy
			Effect: Allow
			Principal:
			Service: bedrock-agentcore.amazonaws.com
			Action: sts:AssumeRole
			Condition:
			StringEquals:
				aws:SourceAccount: "123456789012"
			ArnLike:
				aws:SourceArn: "arn:aws:bedrock-agentcore:us-east-1:123456789012:*"

Using Terraform (AWS Provider)

01 Use the following Terraform configuration to create an IAM role for Amazon Bedrock AgentCore with confused deputy prevention: 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 5.0"
		}
	}
	required_version = ">= 1.0.0"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

data "aws_iam_policy_document" "cc_agentcore_trust_policy" {
	statement {
		sid     = "AssumeRolePolicy"
		effect  = "Allow"

		principals {
			type        = "Service"
			identifiers = ["bedrock-agentcore.amazonaws.com"]
		}

		actions = ["sts:AssumeRole"]

		condition {
			test     = "StringEquals"
			variable = "aws:SourceAccount"
			values   = ["123456789012"]
		}

		condition {
			test     = "ArnLike"
			variable = "aws:SourceArn"
			values   = ["arn:aws:bedrock-agentcore:us-east-1:123456789012:*"]
		}
	}
}

resource "aws_iam_role" "cc_agentcore_execution_role" {
	name               = "cc-agentcore-execution-role"
	description        = "Execution role for Amazon Bedrock AgentCore with confused deputy prevention"
	assume_role_policy = data.aws_iam_policy_document.cc_agentcore_trust_policy.json
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM console available at https://console.aws.amazon.com/iam/.

03 In the left navigation pane, choose Roles.

04 Select the IAM role identified in the Audit section (e.g., cc-agentcore-execution-role) by clicking on its name.

05 On the role details page, choose the Trust relationships tab.

06 Choose Edit trust policy.

07 In the policy editor, locate the statement with "Service": "bedrock-agentcore.amazonaws.com" and "Action": "sts:AssumeRole".

08 Add a Condition block to the statement with the following structure, replacing 123456789012 with your AWS account ID and updating the aws:SourceArn to match your AgentCore resource ARN(s): 

"Condition": {
	"StringEquals": {
		"aws:SourceAccount": "123456789012"
	},
	"ArnLike": {
		"aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:*"
	}
}

09 Choose Update policy to save the updated trust policy.

10 Verify that the trust policy now shows the condition keys in the Trusted entities section.

11 Repeat steps no. 4 – 10 for each IAM role associated with Amazon Bedrock AgentCore that is missing the condition keys.

12 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run get-role command (OSX/Linux/UNIX) to retrieve the existing trust policy for the IAM role identified in the Audit section and save it to a file for modification: 

aws iam get-role
	--role-name cc-agentcore-execution-role
	--query 'Role.AssumeRolePolicyDocument'
	--output json > /tmp/trust-policy.json

02 Open the /tmp/trust-policy.json file and update the trust policy to include the aws:SourceArn and aws:SourceAccount condition keys. The updated trust policy should look similar to the following (replace 123456789012 with your AWS account ID): 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AssumeRolePolicy",
			"Effect": "Allow",
			"Principal": {
				"Service": "bedrock-agentcore.amazonaws.com"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"aws:SourceAccount": "123456789012"
				},
				"ArnLike": {
					"aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:*"
				}
			}
		}
	]
}

03 Run update-assume-role-policy command (OSX/Linux/UNIX) to apply the updated trust policy to the IAM role: 

aws iam update-assume-role-policy
	--role-name cc-agentcore-execution-role
	--policy-document file:///tmp/trust-policy.json

04 Run get-role command (OSX/Linux/UNIX) to verify that the trust policy has been updated successfully: 

aws iam get-role
	--role-name cc-agentcore-execution-role
	--query 'Role.AssumeRolePolicyDocument'

05 The command output should return the updated trust policy document including the Condition block with aws:SourceArn and aws:SourceAccount: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AssumeRolePolicy",
			"Effect": "Allow",
			"Principal": {
				"Service": "bedrock-agentcore.amazonaws.com"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"aws:SourceAccount": "123456789012"
				},
				"ArnLike": {
					"aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:*"
				}
			}
		}
	]
}

06 Repeat steps no. 1 – 5 for each IAM role associated with Amazon Bedrock AgentCore that is missing the condition keys.

References

Publication date Mar 17, 2026

Related BedrockAgentCore rules