Unit 42 researchers discovered critical vulnerabilities in Amazon Bedrock AgentCore's Code Interpreter sandbox. Despite being advertised as providing 'complete isolation with no external network access,' the sandbox mode was found to permit recursive DNS queries to arbitrary public domains, enabling DNS tunneling for bidirectional data exfiltration and C2 communication. Additionally, the AgentCore Runtime's microVM Metadata Service (MMDS) lacked session token enforcement (IMDSv1-style), making it vulnerable to SSRF attacks that could expose IAM credentials. Researchers also found undocumented MMDS endpoints leaking internal S3 pre-signed URLs and KMS Key IDs belonging to AWS's own backend infrastructure. The full attack chain allows breaking out of the sandbox via DNS, accessing IAM credentials via the unprotected metadata service, and exfiltrating them externally. AWS has since updated documentation, enforced MMDSv2 for new agents, and recommends VPC mode with Route 53 DNS Firewall for complete isolation.
Table of contents
AgentCore Architecture and IsolationPhase 1: Internal ReconnaissancePhase 2: The Clue in the MetadataPhase 3: The Great EscapePhase 4: Beyond the SandboxSort: