AWS Silently Patches Authorization Bypass in Amazon Quick AI Agents Without Customer Notification
Key Takeaways
- ▸Authorization bypass allowed direct API access to AI Chat Agents, circumventing explicit IAM and administrative restrictions
- ▸AWS patched the vulnerability without customer notification or public security advisory
- ▸Default provisioning of chat agents expanded attack surface beyond administrator intentions
Summary
Fog Security discovered a critical authorization bypass vulnerability in Amazon Quick's AI Chat Agents that allowed users to interact with AI agents despite explicit administrative restrictions. The vulnerability stemmed from missing server-side authorization checks in the Chat Agent API—while administrators could restrict access through the UI and IAM policies, the backend accepted direct API requests regardless, bypassing these controls entirely.
The vulnerability affected organizations attempting to restrict or disable AI capabilities within Amazon Quick, AWS's AI-powered business intelligence service. By default, AWS automatically provisions a system chat agent upon service activation, expanding the attack surface. While the impact was limited to intra-account bypass (no cross-tenant access observed), it effectively nullified organizations' ability to enforce shadow AI prevention policies or disable AI functionality entirely.
AWS deployed patches to all production regions by March 12, 2026—just eight days after Fog Security reported the issue on March 4th—but notably classified the vulnerability as 'none' severity and did not notify customers or publish a security advisory. This silent patching raises questions about AWS's vulnerability disclosure practices and communication policies for emerging AI services.
- Organizations lost ability to enforce AI usage policies, shadow AI prevention, and AI capability restrictions
Editorial Opinion
AWS's silent patching of a vulnerability that circumvents administrative controls sets a troubling precedent for enterprise AI security. Organizations deploying Amazon Quick for sensitive business intelligence work relied on IAM policies to govern AI access, only to discover those controls were theater—and AWS never told them. As AI services become embedded deeper into enterprise infrastructure, the lack of customer notification for authorization bypasses affecting sensitive data access is a significant governance gap that erodes trust in AWS's commitment to transparent security practices.
