AWS Bedrock’s ‘isolated’ sandbox comes with a DNS escape hatch
Summary
Researchers have discovered that the "Sandbox" mode in AWS Bedrock AgentCore's Code Interpreter is not completely isolated, as it allows DNS queries for A and AAAA records. This functionality can be exploited to create a covert communication channel, enabling data exfiltration and remote command execution.
IFF Assessment
FOE
This is bad news for defenders because a fundamental isolation mechanism in a cloud AI service has been found to be exploitable, allowing for data exfiltration and command execution.
Defender Context
Defenders need to be aware that cloud AI service sandboxes may not provide the complete isolation they promise. Attackers can leverage permitted DNS queries to exfiltrate data and execute commands, especially if AI agents have overly permissive IAM roles.