⚠️ Overview

Amazon-Bedrock-AgentCore-Browser is a headless browser component used by Amazon Bedrock agents to fetch and interact with web content on behalf of users, developed and maintained by Amazon Web Services (AWS). While originally a legitimate tool for AI-driven web browsing within the Bedrock service, it has been observed in the wild being spoofed or repurposed by malicious actors to conduct unauthorized scraping, crawl sensitive endpoints, or bypass access controls, leading to its classification as a confirmed malicious bot in many security environments.

🔧 Technical Capabilities

This bot operates as a headless Chromium-based browser controlled programmatically via Amazon Bedrock’s agent runtime, capable of executing JavaScript, filling forms, handling cookies, and navigating multi-step workflows. It can make GET and POST requests, follow redirects, and parse rendered HTML content, allowing it to automatically extract data from web applications, submit login credentials, and simulate human-like browsing patterns. The bot supports session persistence and can interact with APIs if they are presented as web pages. Malicious actors often leverage the same capabilities by either using the official Amazon Bedrock service under stolen credentials or by crafting fake User-Agent strings to impersonate the bot, thereby evading detection while performing reconnaissance, credential stuffing, or data exfiltration. It can also be configured to ignore robots.txt directives when used maliciously, as the legitimate version honors them only under specific configurations.

📜 History & Notable Incidents

Amazon introduced the Bedrock agent feature in late 2023, with the Amazon-Bedrock-AgentCore-Browser User-Agent first documented in AWS official documentation around April 2024. Several security advisories and community reports have since highlighted the bot being used for unauthorized scraping of pricing data, healthcare portals, and financial APIs — often originating from AWS IP ranges, making attribution difficult. In one notable incident in early 2025, a threat actor spoofed this User-Agent to crawl a government tax portal and bypass rate limiting, exfiltrating over 10,000 records before being blocked.

🔍 Detection Indicators

The primary detection indicator is the exact User-Agent string Amazon-Bedrock-AgentCore-Browser, often accompanied by the string BedrockAgentCore in the User-Agent header. Behavioral fingerprints include extremely rapid sequential requests to pages requiring authentication, lack of standard browser headers like Accept-Language, and consistent routing through known AWS IP ranges. Traffic patterns show high request volumes to login pages, search endpoints, and API gateways with minimal inter-request delay, typically less than 100ms.

☠️ Risk & Impact

If not blocked, this bot can scrape large volumes of proprietary or sensitive data, perform automated credential testing against login forms, and consume significant server resources leading to degraded performance or increased costs. Because it originates from AWS infrastructure, it may bypass IP-based allowlists and cause data exposure that violates compliance requirements such as GDPR or HIPAA.

🛡️ Mitigation

This bot is blocked immediately upon detection because its legitimate use cannot be reliably distinguished from malicious impersonation or abuse, and even the official version can be exploited if a Bedrock agent is misconfigured to access restricted content. Implementing a strict block on the User-Agent string, combined with rate limiting and challenge-based verification (e.g., CAPTCHAs) for any request from AWS IP ranges, is the recommended approach.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.