Forum Discussion

schmitty's avatar
schmitty
Bronze III
21 days ago
Solved

AI Agent Governance: Auditing an Over-Privileged Agent

Hi, i solved every Task exept 16

i reviewed  

metrolio-finance-agent-role

metrolio-finance-lambda-role

and the Trust relationship

Idont know what to do, i cant edit the trust policy either.

 

While reviewing the execution role in the IAM console, examine the role's configuration. Check the Trust relationships tab and review which services are permitted to assume this role.

Now consider: if Metrolio deployed additional Bedrock agents for other departments (HR, customer service, procurement), and each agent assumed this same execution role, what would happen? This means:

  • Compromising one agent's permissions exposes the permissions of all agents sharing the role.
  • AWS CloudTrail records the shared role ARN as the actor for every action – you can't determine which agent performed a specific action.
  • Non-repudiation is destroyed.
  • S1m0n07's avatar
    S1m0n07
    18 days ago

    Hello schmitty​, just got a response that the task changed. You can click "Got It" and that fixes the issue.

3 Replies

  • S1m0n07's avatar
    S1m0n07
    Bronze II
    21 days ago

    I believe it is a bug with the lab, as it does not specify what action to perform. I raised a case with the Immersive on this.

  • schmitty's avatar
    schmitty
    Bronze III
    21 days ago

    The lab will automatically detect when you complete this task.

    • S1m0n07's avatar
      S1m0n07
      Bronze II
      18 days ago

      Hello schmitty​, just got a response that the task changed. You can click "Got It" and that fixes the issue.