AWS Bedrock Code Interpreter DNS Exfiltration Technique Bypasses Sandbox Restrictions
Researchers demonstrate a DNS-based data exfiltration method against AWS Bedrock AgentCore Code Interpreter that bypasses Sandbox Mode network restrictions, allowing attackers to extract S3 data and credentials.
Security researchers at Phantom Labs have demonstrated a novel data exfiltration technique targeting AWS Bedrock AgentCore's Code Interpreter, exploiting DNS resolution to bypass Sandbox Mode network restrictions. The attack, detailed in a March 16 report, shows how malicious instructions embedded in a CSV file can coerce the AI agent-generated Python code into establishing a covert command-and-control (C2) channel via DNS queries, even when the environment reports network access as disabled.
The technique leverages the fact that DNS resolution remains active in Sandbox Mode, despite outbound network connections being otherwise restricted. By embedding instructions in a CSV file processed by the AI agent, attackers can modify the generated Python code to poll an external C2 server using DNS requests. The researchers demonstrated that this method can execute basic commands like `whoami`, list available Amazon S3 buckets and their contents, and extract full file contents including credentials, personal data, and financial information.
AWS reviewed the findings and determined the behavior reflects intended functionality rather than a security vulnerability. Instead of issuing a patch, the company updated its documentation to clarify that Sandbox Mode provides limited external network access and allows DNS resolution. This response has drawn criticism from security experts who argue that perimeter controls are architecturally insufficient against agentic AI execution environments. Ram Varadarajan, CEO at Acalvio, noted that "AWS Bedrock's sandbox isolation failed at the most fundamental layer, DNS, and the lesson isn't that AWS shipped a bug, it's that perimeter controls are architecturally insufficient against agentic AI execution environments."
The risks are amplified when Code Interpreter instances are assigned overly permissive IAM roles. The default AgentCore Starter Toolkit role can include wide permissions such as full access to DynamoDB, full access to Secrets Manager secrets, and read access to all S3 buckets in the account. If attackers can influence code execution within the interpreter, these permissions could enable the discovery and extraction of sensitive information across cloud environments.
Jason Soroko, senior fellow at Sectigo, warned that "organizations must understand that the 'Sandbox' network mode in AWS Bedrock AgentCore Code Interpreter does not provide complete isolation from external networks." He recommended that administrators inventory all active AgentCore Code Interpreter instances and immediately migrate those handling critical data from Sandbox mode to VPC mode, which provides proper network isolation.
The study highlights a broader challenge as AI systems gain the ability to execute code and interact with infrastructure. Without strict permission boundaries and network controls, automated agents may become an unexpected path for data exposure. This incident underscores the need for organizations to reassess their security posture when they trust sandboxed AI environments and to implement defense-in-depth strategies that account for the unique risks of agentic AI execution environments.