AWS Bedrock AgentCore Sandbox Bypass: Stealthy C2 and Data Exfiltration Risks Revealed

A significant security vulnerability has been uncovered within Amazon Web Services’ (AWS) Bedrock AgentCore, specifically its Code Interpreter feature. While AWS marketed this component as a highly secure, isolated sandbox environment incapable of external network access, security researchers have demonstrated how this isolation can be bypassed. The flaw allows threat actors to establish covert command-and-control (C2) channels and exfiltrate sensitive data, fundamentally undermining the intended security posture of the service.

Understanding AWS Bedrock AgentCore and the Code Interpreter

AWS Bedrock is a comprehensive managed service designed to empower developers in building, training, and deploying sophisticated generative artificial intelligence (AI) models. At its core, Bedrock offers an AgentCore runtime environment. This is where AI agents can execute code provided by users, often in the form of Python scripts. These scripts are crucial for enabling agents to interact with AI models, perform complex data preprocessing tasks, and generally extend their capabilities beyond basic model inference.

The Code Interpreter mode within AgentCore was specifically designed with security in mind. AWS advertised it as a robust sandbox, a completely sealed environment intended to prevent any form of outbound connectivity. The promise was that each code execution would occur within an isolated container, devoid of network interfaces, lacking access to the instance metadata service, and critically, unable to initiate any outbound TCP or UDP connections. This level of isolation is typically achieved through a combination of Linux namespaces, seccomp filters, and a stringent egress firewall. The theoretical architecture aimed to block all network traffic, with the exception of local loopback communications, thereby preventing any code from reaching the public internet or internal AWS services.

The Nature of the Sandbox Bypass and DNS Exfiltration

The security researchers, during a thorough review of the AgentCore’s security mechanisms, identified a critical oversight in the firewall configuration. While the egress firewall was designed to block most outbound traffic, it did not explicitly include rules to drop DNS packets destined for external resolvers. This omission created an unintended pathway. Consequently, a malicious process running within the Code Interpreter sandbox retains the ability to send UDP packets on port 53, the standard port for the Domain Name System (DNS) protocol. This capability allows the process to resolve domain names, a seemingly innocuous function that can be weaponized.

The exploitation of this DNS resolution capability forms the basis of the discovered bypass. Threat actors can craft specific DNS queries that encode sensitive data or commands. When these queries are sent to an external DNS server controlled by the attacker, the server can interpret the encoded information. This technique is known as DNS tunneling or DNS exfiltration. It’s particularly insidious because DNS traffic is often permitted through network firewalls and security policies, making it a stealthy method for data transfer and command execution.

For instance, an attacker could encode small chunks of data within the subdomain part of a DNS query. A query like `[encoded_data].attacker-controlled-domain.com` would be sent. The attacker’s DNS server would receive this query, extract the `[encoded_data]`, and then potentially respond with a specially crafted DNS record that, when interpreted by the compromised agent, could contain a command. This creates a covert channel for both sending data out and receiving instructions back into the isolated environment, effectively establishing a command-and-control (C2) infrastructure.

Implications for Security and Mitigation Strategies

The implications of this vulnerability are far-reaching. The core promise of a network-isolated sandbox for executing untrusted code is compromised. This could lead to:

• Data Exfiltration: Sensitive information processed or accessed by the AI agent could be siphoned out of the AWS environment through DNS queries.
• Command and Control (C2): Attackers could use this channel to issue commands to the compromised agent, directing it to perform malicious actions, pivot to other systems, or download further malware.
• Evasion of Security Controls: Because DNS traffic is often less scrutinized than other forms of network communication, this method can evade traditional security monitoring tools and intrusion detection systems.
• Undermining Trust: The vulnerability erodes confidence in the security assurances provided by cloud providers for managed AI services.

AWS has been notified of the vulnerability and is expected to address it. However, in the interim, organizations utilizing AWS Bedrock AgentCore with the Code Interpreter should consider implementing additional security measures. These might include:

• Network Segmentation and Monitoring: Implementing stricter network access controls and closely monitoring DNS traffic originating from Bedrock environments for unusual patterns or suspicious domains.
• Code Review: Rigorously reviewing any user-supplied code intended for the Code Interpreter to identify potentially malicious constructs.
• Limiting Agent Capabilities: Restricting the types of operations and data access granted to AI agents that utilize the Code Interpreter.
• AWS Security Bulletins: Staying informed about official AWS security advisories and applying any patches or recommended configurations promptly.

While the specific details of the exploit rely on the ability to make outbound DNS queries, the broader lesson is that even seemingly minor network allowances in sandboxed environments can be exploited by sophisticated attackers. Continuous security auditing and a defense-in-depth approach are paramount when deploying powerful AI services in cloud environments.

Frequently Asked Questions (FAQ)

What is AWS Bedrock AgentCore?

AWS Bedrock AgentCore is a runtime environment within Amazon Bedrock that allows AI agents to execute code, interact with AI models, and perform tasks like data preprocessing.

What is the Code Interpreter mode?

The Code Interpreter mode within AgentCore is designed as a secure, isolated sandbox for executing user-supplied code. It was advertised as having no outbound network connectivity.

How does the sandbox bypass work?

Researchers found that the Code Interpreter sandbox, despite its advertised isolation, allows outbound DNS queries (for A and AAAA records). Attackers can exploit this by encoding data or commands within DNS requests, creating a covert channel.