Full Report
Cybersecurity researchers have disclosed details of a new method for exfiltrating sensitive data from artificial intelligence (AI) code execution environments using domain name system (DNS) queries. In a report published Monday, BeyondTrust revealed that Amazon Bedrock AgentCore Code Interpreter's sandbox mode permits outbound DNS queries that an attacker can exploit to enable interactive shells
Analysis Summary
# Vulnerability: Amazon Bedrock AgentCore DNS Exfiltration and Sandbox Breakout
## CVE Details
- **CVE ID:** None assigned (Determined by vendor to be intended functionality)
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-941 (Exploitation of Unexpected Information Transfer Stack) / CWE-1336 (Improper Restriction of Exposure to Sandbox)
## Affected Systems
- **Products:** Amazon Bedrock AgentCore Code Interpreter
- **Versions:** All versions using "Sandbox Mode" (Service launched August 2025)
- **Configurations:** Environments using the default managed sandbox mode rather than VPC mode.
## Vulnerability Description
The Amazon Bedrock AgentCore Code Interpreter is designed to execute agentic workloads in an isolated sandbox to prevent access to external systems. However, researchers discovered that the sandbox permits outbound DNS queries. An attacker can abuse this behavior to establish a bidirectional Command-and-Control (C2) channel. By encoding data in DNS subdomains or receiving commands via DNS A records, an attacker can bypass traditional network isolation controls to exfiltrate sensitive data or maintain an interactive shell within the execution environment.
## Exploitation
- **Status:** PoC available (Demonstrated by BeyondTrust)
- **Complexity:** Medium
- **Attack Vector:** Network (via AI Agent interaction)
## Impact
- **Confidentiality:** High (Potential exfiltration of AWS resource data, such as S3 bucket contents)
- **Integrity:** Medium (Ability to execute arbitrary commands within the sandbox)
- **Availability:** Low (Potential for resource exhaustion or deletion of accessible infrastructure)
## Remediation
### Patches
- **No software patch available:** AWS maintains this is "intended functionality." Users must change deployment configurations to secure the environment.
### Workarounds
- **Migrate to VPC Mode:** Immediately move critical workloads from "Sandbox mode" to "VPC mode" to enable full network isolation.
- **DNS Firewalling:** Implement Amazon Route 53 Resolver DNS Firewall to monitor and filter outbound DNS traffic from the interpreter.
- **Least Privilege:** Audit IAM roles attached to the Code Interpreter to ensure they cannot access sensitive S3 buckets or other AWS resources unless strictly necessary.
## Detection
- **Indicators of Compromise:** High volume of DNS queries to unusual or attacker-controlled domains; large amounts of data encoded in DNS subdomains.
- **Detection Methods and Tools:** Monitor DNS query logs (Route 53 logs) for entropy spikes or tunneling patterns originating from Bedrock service roles.
## References
- **Vendor Advisory:** hxxps://aws.amazon.com/blogs/machine-learning/introducing-the-amazon-bedrock-agentcore-code-interpreter/
- **Researcher Report:** hxxps://www.beyondtrust.com/blog/entry/aws-bedrock-agentcore-sandbox-breakout
- **News Source:** hxxps://thehackernews.com/2026/03/ai-flaws-in-amazon-bedrock-langsmith.html