Security Flaw in AWS Bedrock Code Interpreter Raises Alarms

Security Flaw in AWS Bedrock Code Interpreter Raises Alarms

https://www.infosecurity-magazine.com/news/security-flaw-aws-bedrock/

Publish Date: 2026-03-16 09:00:00

Source Domain: www.infosecurity-magazine.com

A method for exfiltrating sensitive data from AI-powered code execution environments using domain name system (DNS) queries has been demonstrated by security researchers, highlighting potential risks in cloud-based AI tooling.

The Phantom Labs Research report, published on March 16, focuses on AWS Bedrock AgentCore Code Interpreter and shows how attackers could bypass expected network restrictions in Sandbox Mode to retrieve data from cloud resources.

The technique relies on DNS resolution capabilities that remain active even when outbound network connections are otherwise restricted. According to the researchers, this behaviour allows malicious instructions embedded in files to create a covert command-and-control (C2) channel.

How the Technique Works

The attack begins with the creation of a malicious CSV file containing embedded instructions. When an AI agent processes the file and prepares code for execution within the Code Interpreter, the embedded content can influence the generated Python code.

Instead of performing standard analysis tasks, the code may be modified to communicate with an external C2 server via DNS queries. The system polls the server using DNS requests and executes any returned commands.

The researchers demonstrated several capabilities during testing:

• Executing basic commands such as whoami within the sandbox

• Listing available Amazon S3 buckets and their contents

• Extracting full file contents, including credentials, personal data and financial information

Despite these actions, the environment continued to report that network access was disabled.

Ram Varadarajan, CEO at Acalvio, said the findings illustrate a deeper architectural challenge. “AWS Bedrock’s sandbox isolation failed at the most fundamental layer, DNS, and the lesson isn’t that AWS shipped a bug, it’s that perimeter controls are architecturally insufficient against agentic AI execution environments.”

Potential Impact on Cloud Environments

The…

Source