{"id":15965,"date":"2026-03-17T11:16:03","date_gmt":"2026-03-17T11:16:03","guid":{"rendered":"https:\/\/newestek.com\/?p=15965"},"modified":"2026-03-17T11:16:03","modified_gmt":"2026-03-17T11:16:03","slug":"aws-bedrocks-isolated-sandbox-comes-with-a-dns-escape-hatch","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15965","title":{"rendered":"AWS Bedrock\u2019s \u2018isolated\u2019 sandbox comes with a DNS escape hatch"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

AWS\u2019 promise of \u201ccomplete isolation\u201d for agentic AI workflows on Bedrock is facing scrutiny after researchers found its sandbox mode isn\u2019t as sealed as advertised.<\/p>\n

In a recent disclosure, BeyondTrust detailed how the \u201cSandbox\u201d mode in AWS Bedrock AgentCore\u2019s Code Interpreter can be abused to break isolation boundaries using DNS queries. While the sandbox blocks most outbound traffic, it still allows DNS queries for A and AAAA records, potentially allowing attackers to establish a covert communication channel, leading to data exfiltration and remote command execution.<\/p>\n

\u201cAWS Bedrock\u2019s sandbox isolation failed at the most fundamental layer, DNS, and the lesson isn\u2019t that AWS shipped a bug, it\u2019s that perimeter controls are architecturally insufficient against agentic AI execution environments,\u201d said Ram Varadarajan, CEO at Acalvio. \u201cNo malware required, just a compliant model with poisoned inputs.\u201d<\/p>\n

BeyondTrust researchers said in a blog post<\/a> that AWS acknowledged the report and reproduced the issue during the disclosure process, but ultimately chose not to patch the behavior, calling it an \u201cintended functionality rather than a defect.\u201d<\/p>\n

<\/a>The \u201callowed\u201d DNS path breaks isolation<\/h2>\n

The issue is that the sandbox environment permits outbound DNS queries<\/a>, which can be manipulated to create a bidirectional communication channel between the AI agent and an external attacker-controlled server. By encoding data into DNS queries and responses, BeyondTrust\u2019s Phantom Labs team demonstrated exfiltrating data and even establishing an interactive reverse shell, without triggering any network restrictions.<\/p>\n

\u201cThe (vulnerable) environment permits outbound DNS queries for A and AAAA records, a structural allowance that threat actors can exploit to establish a bidirectional command-and-control channel,\u201d said Jason Soroko, senior fellow at Sectigo. Once that channel is in place, the rest becomes a question of permissions. If the agent is operating with overly broad IAM roles, the blast radius expands quickly.<\/p>\n

\u201cBy leveraging this channel, attackers can secure an interactive reverse shell and execute arbitrary commands,\u201d Soroko added. \u201cIf the AI execution environment is assigned overly permissive IAM roles, attackers can silently exfiltrate sensitive cloud data, such as S3 bucket<\/a> contents, directly through these allowed DNS queries.\u201d<\/p>\n

Technically, the sandbox isn\u2019t breached; it\u2019s bypassed using a functionality that was always meant to be there. At least, that\u2019s what AWS says.<\/p>\n

<\/a>AWS allegedly rolled back a fix<\/h2>\n

BeyondTrust said it discovered and reported the vulnerability to AWS on September 1, 2025, via the bug bounty platform HackerOne. AWS reportedly acknowledged receipt of the report and deployed an initial fix to production in November.<\/p>\n

However, BeyondTrust was informed a few days later that the initial fix was rolled back due to \u201cother factors\u201d and that AWS is working on a more robust solution. Finally, in December, AWS told BeyondTrust that a fix would not be made as the behavior is an \u201cintended functionality\u201d and instead updated their documentation to clarify that Sandbox mode permits DNS resolution<\/a>. The BeyondTrust researcher received a $100 AWS Gear Shop gift card for the finding.<\/p>\n

An AWS spokesperson told CSO that all AWS services and infrastructure are operating as expected. \u201cThe Sandbox mode provides network access exclusively to Amazon S3 for your data operations, making it ideal for production workloads that rely on S3 data,\u201d the spokesperson said. \u201cDNS resolution is enabled to support successful execution of S3 operations.\u201d<\/p>\n

\u201cBecause AWS has determined this behavior is intended functionality and opted to update its documentation rather than issue a patch, security teams must proactively shift their defensive strategies,\u201d Soroko said, recommending teams \u201cinventory all active AgentCore Code Interpreter instances\u201d and \u201cmigrate to VPC mode\u201d.<\/p>\n

Varadarajan points to a more adaptive approach. \u201cThe correct architectural response is to instrument the execution environment itself with deception artifacts \u2014 canary IAM credentials, honey S3 paths, DNS sinkholes \u2014 that an effective agent will inevitably surface precisely because it\u2019s doing its job well,\u201d he said. AWS reportedly awarded the issue a CVSS Score of 7.5. The documentation<\/a> now reflects the change in the Sandbox mode description, which says the mode \u201cprovides limited external network access\u201d as opposed to \u201cprovides complete isolation with no external network access\u201d earlier.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

AWS\u2019 promise of \u201ccomplete isolation\u201d for agentic AI workflows on Bedrock is facing scrutiny after researchers found its sandbox mode isn\u2019t as sealed as advertised. In a recent disclosure, BeyondTrust detailed how the \u201cSandbox\u201d mode in AWS Bedrock AgentCore\u2019s Code Interpreter can be abused to break isolation boundaries using DNS queries. While the sandbox blocks most outbound traffic, it still allows DNS queries for A… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15965","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15965"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15965\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}