← Intel
AWS Called It a Sandbox. DNS Didn't Get the Memo.
📰

Reacting to:

AWS Bedrock AgentCore Sandbox Escape — BeyondTrust
awssandboxagentcorebedrockdns-exfiltrationcloud-security

AWS Called It a Sandbox. DNS Didn't Get the Memo.

BeyondTrust found that AWS Bedrock AgentCore's isolated sandbox leaks DNS — enabling C2, reverse shells, and S3 exfiltration. AWS responded by updating the docs.

Ofir Stein·March 21, 2026note

BeyondTrust dropped this one on March 17, right as the industry is packing bags for RSAC. Timing is either cruel or perfect depending on how you feel about AWS.

The finding: AWS Bedrock AgentCore markets an "isolated" execution sandbox for agentic workloads. It isn't. DNS traffic escapes. From inside the supposedly locked container, researchers demonstrated DNS-based C2 channels, reverse shell establishment, and S3 exfiltration. CVSS 7.5 — not critical on paper, catastrophic in context when the thing running inside is an autonomous agent with cloud credentials.

AWS's response? They updated the documentation.

No CVE. No patch. No architectural fix. Just a clarifying note that DNS isolation was never the promise. The container was always "limited," not "secure." Welcome to "documented by design" — the vendor response that reframes your security assumption as a user education problem.

This matters structurally. The whole pitch of managed agentic runtimes is that practitioners can offload the hard parts — execution isolation, credential scoping, blast radius containment. Bedrock AgentCore is positioned as the AWS-native answer to "how do I run agents safely." If DNS exfiltration is considered an acceptable and documented non-issue, then the security model being sold to practitioners is fiction.

DNS has always been the exfiltration channel that "secure" sandboxes forget. It's low-bandwidth, it bypasses most egress controls, and it works precisely because DNS is operationally necessary everywhere. Blocking it breaks things. Allowing it enables this.

Practitioners building on Bedrock AgentCore need to treat DNS as an open exfiltration channel today — no waiting for AWS to change their mind about what "isolated" means. Add DNS-level monitoring, restrict resolver access at the network layer, and don't assume the managed runtime is doing the containment work for you.

The RSAC conversations about "secure-by-design AI" are going to feel very different with this in the room.

Threat class: TH-W08 (Sandbox Escape via Protocol Leakage)

← All IntelDeep dives →