AWS Bedrock AI Code Interpreter Flaw Allows DNS‑Based Data Leakage from Customer Workloads
What Happened — Researchers discovered that the AgentCore Code Interpreter sandbox in Amazon Web Services Bedrock can be tricked into issuing DNS queries that embed customer data, effectively leaking sensitive information from the cloud environment. The issue stems from insufficient isolation of the sandbox’s network calls.
Why It Matters for TPRM —
- Third‑party AI services can become an unintended data exfiltration channel.
- A breach of this nature bypasses traditional perimeter controls, exposing downstream vendors to compliance risk.
- Unchecked DNS exfiltration can evade many DLP solutions, inflating the attack surface of any organization that relies on Bedrock for code generation or data analysis.
Who Is Affected — Cloud‑infrastructure providers, SaaS platforms, and enterprises across all sectors that integrate AWS Bedrock’s Code Interpreter into their workloads, especially those handling regulated or proprietary data.
Recommended Actions —
- Review and, if possible, disable the Bedrock Code Interpreter for workloads containing sensitive data.
- Apply any patches or configuration hardening guidance released by AWS immediately.
- Deploy DNS‑query monitoring and anomaly detection on VPC flow logs.
- Conduct a risk assessment of all third‑party AI services used in your supply chain.
Technical Notes — The vulnerability resides in the AgentCore sandbox’s handling of outbound DNS requests, allowing crafted payloads to encode data within the query name. No CVE has been assigned yet; the flaw is classified as a sandbox escape leading to data exfiltration via DNS. Source: HackRead