Monday 30 March 2026Afternoon Edition

ZOTPAPER

News without the noise

Cybersecurity

DNS Exfiltration Bypasses AWS Bedrock Sandbox Isolation and AWS Says It Is Intended Behaviour

Researchers demonstrate full C2 channels through DNS queries in sandboxed AI code interpreters

Zotpaper2 min read
Security researchers have demonstrated that AWS Bedrock AgentCore Code Interpreter allows attackers to exfiltrate data via DNS queries even in sandbox mode — and AWS has classified it as intended behaviour rather than a vulnerability.

Researchers from Phantom Labs and Sonrai Security independently showed that DNS resolution bypasses sandbox isolation in AWS Bedrock's code execution environment, enabling credential theft, S3 bucket enumeration, and full command-and-control channels through DNS tunnelling.

The sandbox mode blocks outbound HTTP, HTTPS, and TCP connections but leaves DNS resolution on UDP port 53 fully functional. Attackers can encode stolen data into DNS subdomain labels, which reach an attacker-controlled authoritative DNS server carrying credentials, file contents, or bucket names in each request.

The attack chain begins with malicious input injection through crafted data files uploaded for AI analysis. The AI agent generates Python code influenced by the payload, which establishes a DNS-based C2 channel. The attacker can then return commands encoded in DNS responses and receive exfiltrated data in subsequent queries.

AWS's classification of this as intended behaviour rather than a security flaw has drawn sharp criticism from the security community, as it means organisations deploying AI agents with code execution capabilities on AWS cannot rely on the sandbox label for meaningful isolation.

Analysis

Why This Matters

As organisations rush to deploy AI agents with code execution capabilities, the security model underlying these systems matters enormously. If the word "sandbox" does not actually mean isolation from network access, enterprises need to fundamentally rethink how they deploy AI code interpreters in sensitive environments.

Key Perspectives

AWS's position that DNS resolution is intended behaviour reflects a pragmatic reality — many legitimate operations require DNS — but leaves a significant attack surface unaddressed. Security researchers argue that a true sandbox should restrict all outbound communication channels.

What to Watch

Whether AWS reverses its position under pressure, and whether competing cloud providers offer more restrictive sandbox options that could differentiate their AI agent platforms on security.

Sources