AWS Bedrock Vulnerability - DNS Escape Hatch Discovered
Basically, AWS Bedrock's security isn't as strong as promised, allowing hackers to sneak data out.
AWS Bedrock's sandbox mode has a serious flaw, allowing DNS queries that can lead to data breaches. This affects users relying on its isolation features. AWS has acknowledged the issue but claims it's intended functionality, leaving security teams to adapt.
The Flaw
AWS Bedrock, a platform designed for agentic AI workflows, has been touted for its complete isolation capabilities. However, recent findings from BeyondTrust reveal a significant vulnerability. The sandbox mode in AWS Bedrock AgentCore's Code Interpreter allows outbound DNS queries, which can be exploited to create covert communication channels. This flaw means that attackers can potentially exfiltrate data and execute commands without detection.
The sandbox's design permits DNS queries for A and AAAA records, which can be manipulated by malicious actors. This creates a bidirectional communication channel between the AI agent and an external server, undermining the very isolation AWS promised. As Ram Varadarajan, CEO of Acalvio, puts it, this is not merely a bug; it's a fundamental architectural flaw in how isolation is implemented.
What's at Risk
With the ability to manipulate DNS queries, attackers can establish a communication link that allows them to exfiltrate sensitive data and even gain control over the AI environment. If the AI agent operates under overly permissive IAM roles, the risk escalates dramatically. Attackers could silently extract sensitive cloud data, such as contents from S3 buckets, without triggering any security alerts.
The implications of this vulnerability extend beyond mere data theft. It opens the door for remote command execution, allowing attackers to run arbitrary commands within the compromised environment. The potential for abuse is significant, especially for organizations relying on AWS Bedrock for critical AI workflows.
Patch Status
BeyondTrust reported the vulnerability to AWS on September 1, 2025, through the bug bounty platform HackerOne. AWS acknowledged the issue and initially deployed a fix in November. However, this fix was rolled back shortly after, with AWS stating that the behavior was intended functionality rather than a defect. This decision has raised eyebrows in the cybersecurity community, as it suggests a reluctance to address the underlying security flaw.
As of now, AWS has updated its documentation to clarify that the sandbox mode provides limited external network access instead of complete isolation. This change highlights the need for users to reassess their security postures when using AWS Bedrock, especially regarding the permissions granted to AI agents.
Immediate Actions
In light of this vulnerability, security teams must take proactive measures to protect their environments. Experts recommend conducting an inventory of all active AgentCore Code Interpreter instances and migrating to VPC mode to enhance security. Additionally, organizations should consider implementing deception artifacts such as canary IAM credentials and DNS sinkholes to detect any unauthorized access attempts.
Ultimately, the AWS Bedrock vulnerability serves as a reminder that perimeter controls alone are insufficient in safeguarding agentic AI execution environments. Organizations must adopt a more comprehensive approach to security, ensuring that their systems are resilient against potential exploits.
CSO Online