DNS Exfiltration in AWS Bedrock Code Interpreter
Summary
Hide ▲
Show ▼
Security researchers demonstrated a method to exfiltrate sensitive data from AWS Bedrock AgentCore Code Interpreter using DNS queries, bypassing network restrictions in Sandbox Mode. The technique involves embedding malicious instructions in files to create a covert command-and-control (C2) channel via DNS queries. The findings highlight architectural challenges in sandbox isolation and the risks of overly permissive IAM roles. AWS confirmed the behavior as intended and updated documentation, recommending migration to VPC mode for sensitive workloads.
Timeline
-
16.03.2026 15:00 1 articles · 3h ago
DNS Exfiltration Technique Demonstrated in AWS Bedrock Code Interpreter
Security researchers demonstrated a method to exfiltrate sensitive data from AWS Bedrock AgentCore Code Interpreter using DNS queries, bypassing network restrictions in Sandbox Mode. The technique involves embedding malicious instructions in files to create a covert command-and-control (C2) channel via DNS queries. AWS confirmed the behavior as intended and updated documentation, recommending migration to VPC mode for sensitive workloads.
Show sources
- Security Flaw in AWS Bedrock Code Interpreter Raises Alarms — www.infosecurity-magazine.com — 16.03.2026 15:00
Information Snippets
-
Researchers demonstrated DNS-based data exfiltration from AWS Bedrock AgentCore Code Interpreter in Sandbox Mode.
First reported: 16.03.2026 15:001 source, 1 articleShow sources
- Security Flaw in AWS Bedrock Code Interpreter Raises Alarms — www.infosecurity-magazine.com — 16.03.2026 15:00
-
Malicious CSV files with embedded instructions can influence Python code execution to communicate with external C2 servers via DNS queries.
First reported: 16.03.2026 15:001 source, 1 articleShow sources
- Security Flaw in AWS Bedrock Code Interpreter Raises Alarms — www.infosecurity-magazine.com — 16.03.2026 15:00
-
The technique allows basic command execution, listing S3 buckets, and extracting sensitive data despite network restrictions.
First reported: 16.03.2026 15:001 source, 1 articleShow sources
- Security Flaw in AWS Bedrock Code Interpreter Raises Alarms — www.infosecurity-magazine.com — 16.03.2026 15:00
-
Overly permissive IAM roles can increase risks, granting broad access to DynamoDB, Secrets Manager, and S3 buckets.
First reported: 16.03.2026 15:001 source, 1 articleShow sources
- Security Flaw in AWS Bedrock Code Interpreter Raises Alarms — www.infosecurity-magazine.com — 16.03.2026 15:00
-
AWS confirmed the behavior as intended and updated documentation to clarify Sandbox Mode's limitations.
First reported: 16.03.2026 15:001 source, 1 articleShow sources
- Security Flaw in AWS Bedrock Code Interpreter Raises Alarms — www.infosecurity-magazine.com — 16.03.2026 15:00
-
AWS recommends migrating sensitive workloads from Sandbox Mode to VPC Mode for better isolation.
First reported: 16.03.2026 15:001 source, 1 articleShow sources
- Security Flaw in AWS Bedrock Code Interpreter Raises Alarms — www.infosecurity-magazine.com — 16.03.2026 15:00