EXECUTIVE Summary notes that the AgentCore starter toolkit’s default deployment creates IAM roles that grant permissions broadly across the AWS account rather than scoped to individual resources, enabling an attack flow we term Agent God Mode. The multi-stage chain shows how a compromised agent could exfiltrate proprietary ECR images, access other agents’ memories, invoke every code interpreter and extract sensitive data.
The analysis explains that Code Interpreter actions run under separate interpreter roles, allowing a potential pivot within the environment, and that the ECR policy can let an agent download images from any repository, creating a high-risk exfiltration vector. The env-output[.]txt within downloaded images reveals the target MemoryID BEDROCK_AGENTCORE_MEMORY_ID=ori_agent_01_mem-AsDiQiDikR, which helps bypass memory barriers for cross-agent data access.
Following disclosure, AWS documentation was updated to warn that the default roles are designed for development and testing and are not recommended for production deployment, according to AWS Security team. The article also includes a disclosure timeline: 17 November 2025, 18 November 2025, 14 December 2025 and 28 January 2026.