Overview
AWS Bedrock AgentCore Code Interpreter’s “Sandbox” network mode is supposed to be walled off from the internet. It isn’t. Despite a “no external network access” configuration, the sandboxed interpreter can still issue A and AAAA DNS queries — and that’s enough to smuggle a full command-and-control channel out of the sandbox.
This project documents the research (disclosed via HackerOne) and ships a working proof-of-concept:
- DNS tunneling C2 — a bidirectional protocol over DNS queries and responses that delivers commands and exfiltrates output, yielding a fully interactive reverse shell. Commands are base64-encoded into
A-record responses (Route 53 delegating to an attacker-controlled nameserver on EC2); output is base64-encoded into subdomain query labels. - S3 exfiltration channel — an alternative path using presigned GET/PUT URLs to poll for commands and upload results to an attacker-controlled bucket.
- Blast radius — because the interpreter runs with an IAM role, the same code execution can exfiltrate data from S3 buckets and DynamoDB tables and invoke any AWS API the role permits.
The takeaway for defenders: AI agent code interpreters execute attacker-influenceable code by design, so “sandbox” guarantees have to be verified — DNS is a frequently-overlooked egress path.
Presented at BSides SF 2026 and fwd:CloudSec 2026. Full write-up on the BeyondTrust blog.
