DNS Exfiltration Vulnerability in AWS Bedrock AgentCore: When the "Sandbox" Isn't Truly Isolated

In the world of Generative AI (GenAI) applications, ensuring a secure code execution environment is a top priority. However, a recent discovery regarding the AWS Bedrock AgentCore Code Interpreter has raised alarms about the effectiveness of "Sandbox" mechanisms. This vulnerability is not merely a technical glitch but a demonstration of how traditional network barriers can be subtly bypassed to leak sensitive data.

Overview of AWS Bedrock AgentCore Code Interpreter

AWS Bedrock AgentCore Code Interpreter is a managed service that acts as the execution "brain" for AI agents. It allows chatbots or AI applications to run Python, JavaScript, and shell scripts to process complex data based on user requests, similar to the Code Interpreter feature in ChatGPT.

To ensure security, AWS offers three network configuration modes: Public, VPC, and Sandbox. Among these, the Sandbox mode is marketed as the most secure option, promising "complete isolation with no outbound access." However, research from BeyondTrust Phantom Labs has identified a critical vulnerability within this very promise.

Analysis of the Vulnerability in AWS Bedrock AgentCore Code Interpreter

The core vulnerability lies in the contradiction between theory and practice in the Sandbox's network configuration. While AWS is configured to block all standard internet traffic (HTTP/HTTPS), it inadvertently overlooked the Domain Name System (DNS) protocol.

Researchers at BeyondTrust discovered that DNS A and AAAA record queries can still freely exit the Sandbox environment. This means that even if the code execution environment is locked down regarding direct data connections, it maintains a "loophole" to communicate with the outside world via DNS resolvers. This serves as the starting point for a large-scale data exfiltration attack.

DNS Command and Control (C2) Channel Mechanism

To demonstrate the severity, experts built a complete two-way Command and Control (C2) protocol operating entirely over DNS. This method turns standard DNS queries into packets containing encrypted data.

Specifically, the attack process occurs in two directions:

• Inbound (Receiving Commands): Attackers send commands to the interpreter inside the Sandbox via DNS A record responses. These commands are Base64 encoded and embedded within the octets of the IP addresses in the DNS response. The interpreter reads these octets, decodes them, and executes shell commands.

• Outbound (Sending Data): The execution results are Base64 encoded by the interpreter and appended to subdomains in DNS queries (e.g., [data-chunk].attacker.com). A Name Server controlled by the attacker on EC2 collects these queries and reassembles them into complete data.

The result is a fully interactive Reverse Shell. This allows attackers to perform Remote Code Execution (RCE) within an environment previously deemed "completely isolated."

IAM Permission Implications and Data Exfiltration Risks

The threat does not stop at hijacking the interpreter. The real danger lies in the IAM (Identity and Access Management) permissions granted to the service. By default, the Code Interpreter operates with a specific IAM role, which in many cases is configured with overly broad permissions.

Through the DNS shell, researchers demonstrated the ability to use the AWS CLI to:

• List and retrieve data from S3 buckets.

• Gain comprehensive access to data tables in DynamoDB.

• Read sensitive secrets (API keys, passwords) from Secrets Manager.

This violation of the Least Privilege principle means that customers' Personally Identifiable Information (PII), financial records, and system credentials can be stolen silently without leaving obvious traces on conventional network traffic monitoring systems.

AWS Response and Notable Developments

The vulnerability was reported through the Bug Bounty program (HackerOne) in September 2025. Although initially rated as high severity (CVSS 8.1), AWS's handling of the issue has sparked debate within the security community.

After a failed patching attempt in November 2025, AWS announced in late December that it would not release a permanent fix for Sandbox mode. Instead, they updated their documentation to clarify that the Sandbox still allows DNS resolution and recommended that users switch to VPC mode for true isolation. The decision to award a $100 gift card to the researcher was also seen as a modest response given the potential impact of the vulnerability.

The Expanding AI Attack Surface

This vulnerability does not exist in isolation; it intersects with new attack vectors in the AI era. Attackers do not necessarily need direct access to exploit this DNS C2 channel; they can leverage techniques such as:

• Prompt Injection: Manipulating the chatbot to automatically execute code containing data exfiltration commands.

• Supply Chain Attacks: Exploiting vulnerabilities in over 270 third-party libraries (such as pandas, numpy) used by the Code Interpreter.

• AI Code Manipulation: Taking advantage of AI-generated Python code that contains hidden malicious snippets.

Furthermore, previous research regarding information leakage via the Metadata Service indicates that AgentCore's security architecture has systemic weaknesses in its sandbox design.

This incident serves as a valuable lesson for enterprises deploying AI solutions: Do not place implicit trust in default "Sandbox" labels. To protect sensitive data, configuring VPC mode and strictly applying the principle of Least Privilege to IAM roles are indispensable steps.