Executive Summary
In March 2026, cybersecurity researchers identified a vulnerability in Amazon Bedrock AgentCore's Code Interpreter, allowing attackers to exfiltrate sensitive data via DNS queries. The flaw permitted outbound DNS requests from the sandbox environment, enabling unauthorized data transmission. This vulnerability underscores the critical need for robust security measures in AI code execution platforms to prevent data breaches. Organizations utilizing AI agents must implement stringent controls to mitigate such risks.
Why This Matters Now
The discovery of this vulnerability highlights the evolving threat landscape in AI platforms, emphasizing the urgency for enhanced security protocols to protect sensitive data from sophisticated exfiltration techniques.
Attack Path Analysis
An attacker exploited the Amazon Bedrock AgentCore Code Interpreter's sandbox mode, which permitted outbound DNS queries, to establish a command-and-control channel and exfiltrate sensitive data. By leveraging this DNS communication, the attacker bypassed network isolation controls, executed arbitrary commands, and accessed AWS resources accessible via the Code Interpreter's IAM role, leading to potential data breaches and infrastructure compromise.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the Code Interpreter's sandbox mode, which allowed outbound DNS queries, to establish a covert communication channel.
MITRE ATT&CK® Techniques
Exfiltration Over Unencrypted Non-C2 Protocol
Application Layer Protocol: DNS
Exploitation for Client Execution
Command and Scripting Interpreter
Valid Accounts
External Remote Services
System Information Discovery
Network Service Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Protection
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI platform vulnerabilities in Amazon Bedrock enable DNS-based data exfiltration from code execution environments, threatening proprietary algorithms and customer data.
Financial Services
DNS exfiltration attacks against AI systems compromise sensitive financial data processing, violating PCI compliance and enabling unauthorized access to trading algorithms.
Health Care / Life Sciences
AI code interpreter vulnerabilities expose protected health information through DNS queries, violating HIPAA requirements and compromising patient data confidentiality.
Information Technology/IT
Sandbox escape vulnerabilities in AI platforms create remote code execution risks, enabling lateral movement and data exfiltration across cloud infrastructure.
Sources
- AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCEhttps://thehackernews.com/2026/03/ai-flaws-in-amazon-bedrock-langsmith.htmlVerified
- Execute code and analyze data using Amazon Bedrock AgentCore Code Interpreterhttps://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-tool.htmlVerified
- How AgentCore Tools session isolation workshttps://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/built-in-tools-how-it-works.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit network paths for command-and-control and data exfiltration, thereby reducing the potential blast radius within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to establish covert communication channels over DNS would likely be constrained, reducing the risk of unauthorized external connections.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to access AWS resources beyond their intended scope would likely be limited, reducing the risk of unauthorized privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the environment would likely be constrained, reducing the risk of unauthorized access to additional services and resources.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain a covert command-and-control channel over DNS would likely be limited, reducing the risk of persistent unauthorized communication.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data via DNS queries would likely be constrained, reducing the risk of data breaches.
The overall impact of data breaches and infrastructure compromise would likely be reduced, limiting the extent of unauthorized access and data loss.
Impact at a Glance
Affected Business Functions
- Data Analysis
- AI Model Training
- Automated Reporting
Estimated downtime: N/A
Estimated loss: N/A
Potential exfiltration of sensitive data accessible via the Code Interpreter's IAM role, including customer information and proprietary datasets.
Recommended Actions
Key Takeaways & Next Steps
- • Migrate critical workloads from Sandbox mode to VPC mode to enforce network isolation.
- • Implement DNS security controls, such as DNS firewalls, to monitor and block unauthorized DNS queries.
- • Apply the principle of least privilege by auditing and restricting IAM roles associated with the Code Interpreter.
- • Regularly monitor and analyze DNS traffic for signs of data exfiltration or command-and-control activities.
- • Educate development and security teams on the risks associated with DNS-based data exfiltration and the importance of network isolation.
