AWS Bedrock AgentCore Sandbox Bypass Enables DNS Tunneling and Credential Exfiltration
What Happened – Unit 42 researchers demonstrated that the network‑isolation mode of Amazon Bedrock AgentCore’s Code Interpreter can be bypassed using DNS tunneling, allowing malicious code to send and receive data from the public internet. A second flaw in the AgentCore runtime’s microVM Metadata Service (MMDS) lacks session‑token enforcement, enabling SSRF‑style credential theft.
Why It Matters for TPRM –
- The bypass turns a “secure” AI execution environment into a covert data‑exfiltration channel.
- Compromise of one AgentCore instance can cascade to other agents in the same AWS account via over‑privileged default identities.
- Many third‑party SaaS and internal applications rely on Bedrock AgentCore, expanding the attack surface across multiple supply‑chain layers.
Who Is Affected – Cloud‑native enterprises, AI‑as‑a‑Service providers, and any organization that has integrated Amazon Bedrock AgentCore (e.g., tech, finance, healthcare, media).
Recommended Actions –
- Review AWS‑provided mitigation controls (e.g., VPC endpoint policies, IAM condition keys) and enable them immediately.
- Enforce least‑privilege IAM roles for AgentCore agents; audit default permissions.
- Deploy DNS‑query monitoring and anomaly detection on workloads that invoke Bedrock agents.
- Validate that MMDS token enforcement is enabled; apply AWS‑issued patches or configuration updates.
Technical Notes – The sandbox bypass leverages crafted DNS queries that tunnel data through the resolver, bypassing the intended “no‑outbound‑network” rule. The MMDS flaw stems from a missing token check, allowing SSRF attacks to retrieve IAM credentials. No CVE was assigned at time of publication. Source: Palo Alto Unit 42 – Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox