Csoonline
AWS Bedrock Sandbox Vulnerability Enables DNS-Based Data Exfiltration
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A security flaw in AWS Bedrock's AgentCore Code Interpreter allows attackers to bypass network isolation through DNS queries. Researchers from BeyondTrust demonstrated that the sandbox mode permits outbound DNS queries for A and AAAA records, enabling covert command-and-control (C2) channels. This vulnerability can lead to data exfiltration and remote command execution if the associated IAM roles are overly permissive. AWS acknowledged the issue but classified it as intended functionality rather than a defect, opting not to issue a patch. The flaw was reported to AWS on September 1, 2025, with an initial fix rolled back in November 2025. The findings emphasize the architectural inadequacies of perimeter controls in AI execution environments. Organizations using AWS Bedrock are advised to audit their configurations and consider migrating sensitive workloads to VPC mode for enhanced security.
Key Points: • AWS Bedrock's sandbox mode allows DNS queries, enabling data exfiltration. • Attackers can establish covert C2 channels if IAM roles are overly permissive. • AWS determined the behavior is intended and will not issue a patch.