LIVE FEED
FIRST LOOK First Look: Delphi Powers Kē App's AI Celebrity Clone for Wellness Coaching // FIRST LOOK First Look: AWS SageMaker Ships 100+ Detailed Inference Metrics with CloudWatch Insights … // FIRST LOOK First Look: AWS Launches Amazon Bedrock AgentCore Harness for Production-Grade Agents // HIGH AutoJack Exploit Chain Achieves RCE via AI Agent Browsing Local MCP Socket // HIGH Orphaned AI Agents Retain Privileged Access After Employee Departures // FIRST LOOK First Look: Anthropic Mythos 5 Export Block Exposes AI Supply Chain Dependency Risk // FIRST LOOK First Look: AWS Launches Amazon Quick Autonomous Agents with Continuous Background … // FIRST LOOK First Look: Midjourney Medical Launches AI-Powered Full-Body Ultrasound Scanner Hardware // FIRST LOOK First Look: Odyssey Launches Physical World Model Platform Backed by Amazon at $1.45B … // FIRST LOOK First Look: OpenAI Tests ChatGPT for Science Subscription with Verified Institutional … //
FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching First Look Agentic AI LLM Security Prompt Injection Supply Chain RELEVANCE ▲ 8.2

First Look: AWS Launches Amazon Bedrock AgentCore Harness for Production-Grade Agents

SOURCE AWS Machine Learning Blog ↗
ATTACK SURFACE BRIEF HIGH ↗ RAPID
  • What shipped: AWS makes AgentCore Harness generally available, enabling production agents via two API calls with built-in shell, memory, browser, and tool access.
  • Who's now exposed: Organisations deploying or exposed to AgentCore-powered agents, particularly those connecting agents to internal tools, AWS resources, or external web content.
  • Assess now: Audit IAM roles attached to AgentCore harness deployments for least-privilege and scope creep before production rollout · Treat all browser-accessible URLs and MCP-connected tool outputs as untrusted; implement prompt injection detection at the gateway layer · Review the AWS-curated skill catalog entries in use and establish a vetting process before adding new skills to production harnesses
First Look: AWS Launches Amazon Bedrock AgentCore Harness for Production-Grade Agents

Capability Overview

Amazon Bedrock AgentCore Harness reached general availability on 18 June 2026, collapsing the multi-week infrastructure work of production agent deployment into two API calls: CreateHarness and InvokeHarness. The service bundles every major agent primitive — sandboxed compute with a real filesystem and shell, persistent cross-session memory, a tool gateway supporting MCP and custom integrations, a managed web browser, an identity layer, and CloudWatch-backed observability — into a single managed abstraction.

For defenders, the key signal is not what AWS built, but what this makes trivially easy for developers who previously lacked the infrastructure expertise to deploy agents safely. The compression of deployment complexity is real; so is the compression of the security review window.

Attack Surface Analysis

Browser-enabled prompt injection is the most immediately exploitable vector. Agents with web browsing capability will routinely fetch attacker-controlled content. A single malicious page containing adversarial instructions in visible or hidden text can redirect the agent’s actions, exfiltrate memory contents, or cause it to invoke tools on behalf of an attacker. This is not theoretical — it is the dominant attack pattern against every browser-capable agent deployed to date.

Cross-session memory poisoning is a slower but higher-impact vector. The harness persists memory across sessions by design. An attacker who can influence a single agent interaction — through a phishing-crafted input, a poisoned tool response, or a malicious file — can plant instructions that surface in future sessions, potentially for different users if memory is shared at the harness level rather than the user level.

Skill catalog supply chain risk mirrors the npm/PyPI threat model. The AWS-curated catalog is a centralised dependency layer. A compromised or maliciously submitted skill propagates silently to every harness pointing at it, with no diff review unless teams have explicitly locked skill versions.

Mid-session model switching introduces a novel vector: an attacker with write access to InvokeHarness parameters can redirect reasoning to a less-aligned or attacker-controlled model endpoint without terminating the session, preserving accumulated context while substituting the reasoning engine.

IAM over-provisioning is the ambient risk. The harness identity primitive will, in practice, inherit whatever role a developer assigns during setup. Agents with shell access and over-broad IAM roles become a lateral movement path into the broader AWS environment.

Framework Mapping

  • AML.T0051 (LLM Prompt Injection) and LLM01: Browser and MCP tool outputs are direct injection surfaces.
  • AML.T0010 (ML Supply Chain Compromise) and LLM05: The skill catalog and MCP server dependencies are untrusted third-party inputs.
  • AML.T0057 (LLM Data Leakage) and LLM06: Persistent memory and CloudWatch traces may contain PII or confidential intermediate reasoning.
  • LLM08 (Excessive Agency): The harness’s shell and filesystem access, combined with rapid deployment, is a textbook excessive agency scenario.
  • AML.T0012 (Valid Accounts): Compromised AWS credentials can invoke harnesses at scale, consuming resources or exfiltrating agent outputs.

Threat Scenarios

Scenario 1 — Indirect Prompt Injection via Web Research Task: A user asks a customer-facing AgentCore agent to research a competitor. The agent browses an attacker-seeded page containing hidden instructions to exfiltrate the current session’s memory contents to an external endpoint via a tool call.

Scenario 2 — Persistent Memory Backdoor: A red-teamer crafts an input that causes the agent to write a persistent “instruction” into long-term memory under a plausible key. All subsequent sessions for that user — or harness-wide if memory scoping is misconfigured — execute the backdoored instruction silently.

Scenario 3 — Skill Catalog Sideloading: An attacker publishes a skill to the AWS marketplace that mimics a legitimate data-processing tool. Organisations that pull skills without version-locking receive the malicious variant on next deployment, granting the skill shell-level access within the sandbox.

Defender Checklist

  • Enforce least-privilege IAM roles on every harness; treat the agent identity as a service account, not a developer account
  • Block or proxy all outbound browser requests; apply content inspection to web-fetched content before it enters the agent context
  • Isolate memory at the user level, not the harness level; audit memory scoping configuration in CreateHarness definitions
  • Pin skill catalog versions; establish an internal review gate before approving new skills for production harnesses
  • Apply prompt injection detection middleware at the gateway layer for all tool inputs and outputs
  • Restrict InvokeHarness model-override parameters via IAM condition keys to prevent unauthorised model substitution
  • Treat CloudWatch agent traces as sensitive data; apply appropriate access controls and retention policies
  • Require security review sign-off before any harness moves from prototype to production, regardless of deployment speed

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.