When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications
Summary
This research examines how attackers could exploit Amazon Bedrock's multi-agent systems (groups of specialized AI agents working together) through prompt injection (tricking an AI by hiding malicious instructions in user input), potentially discovering agent instructions and executing unauthorized tool actions. The study found no vulnerabilities in Bedrock itself, but highlighted a broader LLM challenge: these systems cannot reliably distinguish between legitimate developer instructions and adversarial user input. The research was conducted ethically on owned systems in collaboration with Amazon's security team.
Solution / Mitigation
Enabling Bedrock's built-in prompt attack Guardrail stopped the demonstrated attacks. Additionally, Amazon confirmed that Bedrock's pre-processing stages and Guardrails effectively block these attacks when properly configured.
Classification
Affected Vendors
Related Issues
Original source: https://unit42.paloaltonetworks.com/amazon-bedrock-multiagent-applications/
First tracked: April 3, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%