Risk
Excessive IAM Role Assumption by Cloud Agent Runtime
Description
Cloud-hosted agent runtimes assume IAM roles far broader than the task requires, enabling privilege escalation and lateral movement.
Example
A Bedrock AgentCore agent assumes an IAM role with org-wide read access to perform a single S3 read; an attacker exploiting prompt injection inherits that scope.
Assets Affected
AI Agent
Agentic Platform
AI Provider Access Credentials
Agent Identity
Mitigation
- Scope IAM roles to per-task minimum
- use ephemeral credentials
- alert on out-of-pattern role assumption
- enforce least-privilege at the platform level.
Standards Mapping
- ISO: A.4.5, A.10.2
- OWASP agentic: ASI03
- OWASP LLM: LLM06:2025
- EU AI Act: Art. 15(5)
- DASF: Agents-Core 13.3, Platform 12.4
- AIUC-1: B007, B008