AWS AgentCore under scrutiny: how a flaw in the sandbox enables breaking the network isolation
A new security finding published by Unit 42 (Palo Alto Networks) questions one of the fundamental guarantees of modern cloud execution environments: network isolation. Researchers have demonstrated that the network isolation mode within the AgentCore sandbox can be bypassed, allowing communication with external systems via DNS tunneling techniques.
AWS AgentCore is designed to run code—including AI agents—in controlled environments where external connectivity is restricted to prevent data leakage or malicious behavior. However, analysis reveals that this isolation is not absolute.
The problem lies in how DNS resolutions are managed within the sandbox. While the environment blocks direct outgoing connections, it permits DNS queries which, under normal circumstances, are necessary for system operation. Researchers demonstrated that this channel can be exploited to establish covert communication with the outside world.
Through DNS tunneling, an attacker can encode data within DNS queries and send them to a domain they control. Similarly, they can receive information as a response. This mechanism turns what should be a basic functionality into an exfiltration and remote control channel.
The significance of this finding is not only in the technique—well known in security—but also in the context in which it applies. In platforms like AgentCore, where potentially sensitive or automated code runs, the promise of isolation is key to its adoption. If that isolation can be bypassed, the trust model weakens.
This type of vulnerability has particularly important implications for AI environments. Agents can process sensitive data, interact with internal systems, or execute automated logic. If an attacker manages to introduce code or manipulate its behavior, they could use this channel to extract information without detection by traditional controls.
Moreover, using DNS as a communication channel makes detection difficult. Many security solutions do not deeply inspect DNS traffic or consider it low-risk, allowing this type of activity to go unnoticed for extended periods.
From a defensive standpoint, this case underscores the need for a stricter approach in monitoring isolated environments. It is not enough to block direct connections; all possible channels must be analyzed, including those considered ‘default safe’ like DNS.
Organizations that use isolated execution services should review their network controls, implement advanced DNS query monitoring, and consider more restrictive policies when dealing with sensitive environments. It is also crucial to assume that perfect isolation does not exist, and additional layers of detection and response must always be present.
The conclusion is clear: as cloud platforms and AI evolve, so do evasion techniques. The sandbox remains a vital tool, but blindly relying on its isolation can become a risk.
Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox
Summary: Unit 42 researchers at Palo Alto Networks discovered vulnerabilities in the network isolation mode of the AgentCore sandbox, enabling external data transmission and reception through DNS tunneling.
Key facts
- Unit 42 researchers discovered a vulnerability in the sandbox network isolation mode of Amazon Bedrock AgentCore.
- The issue enables external communication through DNS tunneling.
- This breach affects the sandbox mode and is critical for service security.
Why it matters
This finding is significant because it shows how the network isolation guarantees offered by the service can be compromised, with operational and security implications for organizations using AgentCore in their AI strategies.
Embedded content for: Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox