DNS Exfiltration from AWS Bedrock "Sandboxed" Code Interpreters — and AWS Says It's Fine

AWS Bedrock AgentCore Code Interpreter lets attackers exfiltrate data via DNS queries even in "Sandbox" mode — and AWS classified it as intended behavior, not a vulnerability. Researchers from Phantom Labs and Sonrai Security independently demonstrated that DNS resolution bypasses sandbox isolation, enabling credential theft, S3 bucket enumeration, and full C2 channels through the one protocol every firewall allows by default. If you deploy AI agents with code execution on AWS, the word "sandbox" doesn't mean what you think it means. How DNS Exfiltration Bypasses Sandbox Isolation Sandbox mode blocks outbound HTTP, HTTPS, and TCP — but DNS resolution on UDP 53 stays fully functional. Attackers encode stolen data into DNS subdomain labels: c2VjcmV0LWtleQ.attacker-domain.com These queries reach an attacker-controlled authoritative DNS server, carrying credentials, file contents, or bucket names in each request. The Attack Chain Malicious input injection — crafted CSV with embedded instru