AWS’ promise of “complete isolation” for agentic AI workflows on Bedrock is facing scrutiny after researchers found its sandbox mode isn’t as sealed as advertised.
In a recent disclosure, BeyondTrust detailed how the “Sandbox” mode in AWS Bedrock AgentCore’s Code Interpreter can be abused to break isolation boundaries using DNS queries. While the sandbox blocks most outbound traffic, it still allows DNS queries for A and AAAA records, potentially allowing attackers to establish a covert communication channel, leading to data exfiltration and remote command execution.
“AWS Bedrock’s sandbox isolation failed at the most fundamental layer, DNS, and the lesson isn’t that AWS shipped a bug, it’s that perimeter controls are architecturally insufficient against agentic AI execution environments,” said Ram Varadarajan, CEO at Acalvio. “No malware required, just a compliant model with poisoned inputs.”
BeyondTrust researchers said in a blog post that AWS acknowledged the report and reproduced the issue during the disclosure process, but ultimately chose not to patch the behavior, calling it an “intended functionality rather than a defect.”
The “allowed” DNS path breaks isolation
The issue is that the sandbox environment permits outbound DNS queries, which can be manipulated to create a bidirectional communication channel between the AI agent and an external attacker-controlled server. By encoding data into DNS queries and responses, BeyondTrust’s Phantom Labs team demonstrated exfiltrating data and even establishing an interactive reverse shell, without triggering any network restrictions.
“The (vulnerable) environment permits outbound DNS queries for A and AAAA records, a structural allowance that threat actors can exploit to establish a bidirectional command-and-control channel,” said Jason Soroko, senior fellow at Sectigo. Once that channel is in place, the rest becomes a question of permissions. If the agent is operating with overly broad IAM roles, the blast radius expands quickly.
“By leveraging this channel, attackers can secure an interactive reverse shell and execute arbitrary commands,” Soroko added. “If the AI execution environment is assigned overly permissive IAM roles, attackers can silently exfiltrate sensitive cloud data, such as S3 bucket contents, directly through these allowed DNS queries.”
Technically, the sandbox isn’t breached; it’s bypassed using a functionality that was always meant to be there. At least, that’s what AWS says.
AWS allegedly rolled back a fix
BeyondTrust said it discovered and reported the vulnerability to AWS on September 1, 2025, via the bug bounty platform HackerOne. AWS reportedly acknowledged receipt of the report and deployed an initial fix to production in November.
However, BeyondTrust was informed a few days later that the initial fix was rolled back due to “other factors” and that AWS is working on a more robust solution. Finally, in December, AWS told BeyondTrust that a fix would not be made as the behavior is an “intended functionality” and instead updated their documentation to clarify that Sandbox mode permits DNS resolution. The BeyondTrust researcher received a $100 AWS Gear Shop gift card for the finding.
An AWS spokesperson told CSO that all AWS services and infrastructure are operating as expected. “The Sandbox mode provides network access exclusively to Amazon S3 for your data operations, making it ideal for production workloads that rely on S3 data,” the spokesperson said. “DNS resolution is enabled to support successful execution of S3 operations.”
“Because AWS has determined this behavior is intended functionality and opted to update its documentation rather than issue a patch, security teams must proactively shift their defensive strategies,” Soroko said, recommending teams “inventory all active AgentCore Code Interpreter instances” and “migrate to VPC mode”.
Varadarajan points to a more adaptive approach. “The correct architectural response is to instrument the execution environment itself with deception artifacts — canary IAM credentials, honey S3 paths, DNS sinkholes — that an effective agent will inevitably surface precisely because it’s doing its job well,” he said. AWS reportedly awarded the issue a CVSS Score of 7.5. The documentation now reflects the change in the Sandbox mode description, which says the mode “provides limited external network access” as opposed to “provides complete isolation with no external network access” earlier.