Your Bedrock stack has an attack surface. Most scanners can't see it.
A Bedrock deployment is more than a model call. It is agents with action groups, executor Lambdas with IAM roles, knowledge bases fed from S3 buckets, guardrails, invocation logs, and cross-region inference profiles — each one an ordinary AWS object that can be misconfigured in a very AI-specific way. This page maps that surface hop by hop, with the read-only check that audits each link.
Updated 2026-07-13 · ~6 minute read
The Bedrock attack surface, mapped
Three chains cover most of what can go wrong: the agent chain (what a hijacked agent could do), the RAG chain (who can read or poison the corpus), and the data-plane chain (where prompts travel and who could read the trail). Every hop below is a configuration object CloudArq reads; every tag is a real check in the registry.
Every hop is read from configuration APIs — agent definitions, bucket policies, IAM policy documents. Read-only; CloudArq never invokes an agent or a model.
The surfaces Bedrock teams also own
Most Bedrock teams run more AI than Bedrock. The same audit covers the two neighbors that most often carry the same class of risk.
Self-hosted model servers
A GPU or accelerator EC2 instance whose security group opens a known model-server port — Ollama 11434, Ray 8265, vLLM 8000 — to 0.0.0.0/0. CloudArq reads instance and security-group configuration only and never probes the port, so the finding is a labeled hypothesis about what the configuration would allow, never a confirmed running service.
exposed_self_hosted_inference_endpointSageMaker capture sinks
A SageMaker endpoint capturing live inference inputs and outputs to an S3 bucket that is configured public — the capture stream would be world-readable. The audit reads endpoint and bucket configuration only; the captured data itself is never read.
sagemaker_data_capture_pii_sinkThe surface has a cost-and-abuse side too: the credential-abuse pattern known as LLMjacking — someone else's inference billed to your account — and the quieter burn of Provisioned Throughput left running with no commitment term. The same read-only audit covers the configuration side of both; read the dedicated pages on LLMjacking and the full AI Workload lens.
What CloudArq reads — and what it refuses to guess
Frequently asked
- 01Is the Bedrock audit read-only?
- Yes. CloudArq connects through a read-only IAM role secured with an ExternalId and calls configuration APIs only. It never invokes your models or agents, never changes a setting, and remediation is a guided fix you run yourself — never auto-fix.
- 02Can CloudArq see our prompts or documents?
- No. The audit never reads S3 object contents, so it cannot see knowledge-base documents, invocation logs, or captured inference data. It flags a bucket that is configured public or cross-account readable — a statement about the configuration, never about the data inside.
- 03What happens when the audit role lacks a permission?
- The affected check reports an honest partial that names the missing permission instead of guessing. CloudArq never marks a resource clean that it could not read, and never invents a finding it cannot prove from the API response.
- 04Does this replace Bedrock Guardrails?
- No — they solve different problems. Guardrails filter model inputs and outputs at runtime; CloudArq audits the configuration around the model, including whether a guardrail is missing content or PII filters. Run both.
- 05Which Bedrock risks does a generic CSPM miss?
- The ones that only appear when Bedrock resources are connected to the AWS objects behind them: an action group whose requireConfirmation is off, the IAM reach of an agent executor role, a knowledge-base data-source bucket writable by outsiders, an invocation-log sink configured public, an EU workload on a US inference profile. A bucket-level check alone does not know that bucket feeds a RAG corpus or holds your prompt logs.