Amazon Bedrock Agents — agentic threat model
Amazon Bedrock Agents presents a high-impact agentic risk profile due to its deep integration with AWS services, multi-agent collaboration, and dynamic tool/API execution capabilities, though this is partially offset by built-in AWS security controls and Bedrock Guardrails.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.90 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses foundation models (FMs) for reasoning and interpreting user inputs. Vulnerable to prompt injection, adversarial inputs, and model alignment issues that could hijack agent intent.
Orchestrates interactions with various data sources. Vulnerable to data exfiltration, knowledge-base poisoning, and unauthorized access to connected enterprise databases.
Handles task orchestration, memory retention, and tool calling via APIs. Vulnerable to tool misuse, insecure API integrations, and memory poisoning that persists across sessions.
Hosted on fully managed AWS infrastructure. While AWS provides robust sandboxing and hosting security, misconfigurations in IAM or deployment boundaries could lead to privilege escalation.
Features built-in security through Amazon Bedrock Guardrails. Vulnerable to guardrail bypasses, evasion techniques, and potential logging/observability blind spots in complex multi-step tasks.
Leverages AWS security, identity, and compliance frameworks. Vulnerable to misconfigured IAM policies, insufficient auditing, and compliance drift within enterprise environments.
Supports multi-agent collaboration. Vulnerable to agent-to-agent trust abuse, cascading failures across collaborating agents, and rogue agent behavior in decentralized workflows.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).