Unit 42 researchers discovered a method to bypass the network isolation of Amazon Bedrock AgentCore's Code Interpreter sandbox using DNS tunneling. Combined with a legacy MMDSv1 configuration that lacked session token enforcement, attackers could potentially exploit SSRF to extract highly privileged IAM credentials and exfiltrate them via the DNS covert channel.