The domain name system (DNS), a foundational component of internet infrastructure, has been leveraged in a newly discovered attack method that allows for data exfiltration from artificial intelligence (AI) code execution environments. Disclosed this week, the technique targets Amazon Bedrock and uses DNS queries to enable unauthorized data transfer, raising serious concerns for cybersecurity professionals working with cloud-based AI platforms.
The Flaw Identified Within Amazon Bedrock AgentCore
In a report published Monday, BeyondTrust detailed the exploitation of Amazon Bedrock’s AgentCore Code Interpreter. Researchers found that the sandbox mode of the interpreter — designed to isolate code and provide a controlled execution environment — still permits outbound DNS queries. These outbound queries can be exploited by attackers to establish interactive shells, through which sensitive data can be extracted without triggering standard perimeter defenses.
The sandbox environment, while intended to restrict unauthorized activity, does not block DNS traffic, leaving a channel open that threat actors can manipulate. BeyondTrust’s findings underscore that even purpose-built isolation environments carry residual risk when network-layer controls are incomplete.
How DNS Becomes a Tool for Covert Exfiltration
DNS queries, traditionally used for domain name resolution and internet routing, have become a vehicle for exploitation under this technique. Researchers demonstrated several key attack behaviors:
- Attackers can craft specific DNS queries to covertly transmit data outside the sandbox environment, bypassing conventional data loss prevention tools.
- These queries can be used to establish interactive sessions, functioning similarly to remote shells, enabling continuous and low-profile data extraction.
- Because DNS traffic is rarely blocked outright in cloud environments, the method is particularly difficult to detect using standard monitoring approaches.
This style of DNS-based exfiltration is not entirely new to the threat landscape, but its application within AI code execution sandboxes represents a meaningful escalation in attack surface complexity.
Security Implications for AI Code Execution Environments
This method of leveraging DNS queries for exfiltration carries far-reaching security implications for organizations running AI workloads in sandboxed environments. Businesses relying on platforms like Amazon Bedrock for secure, isolated code execution must reassess their defensive posture in light of this disclosure.
Security and infrastructure teams should consider the following steps:
- Conduct thorough audits of DNS traffic to identify unusual patterns, unexpected query volumes, or outgoing requests to unknown domains.
- Implement strict monitoring and alerting protocols specifically for DNS activities originating from AI execution environments.
- Review and tighten sandbox configurations to restrict or block outbound connectivity, with particular attention to DNS egress paths.
- Work with cloud providers to understand what network controls can be applied at the infrastructure level to reduce exposure.
Organizations Must Take a Proactive Stance on Sandbox Security
Reactive security measures are insufficient when dealing with attack techniques that exploit trusted, low-visibility protocols like DNS. Organizations that treat sandbox environments as inherently secure without validating underlying network controls are leaving meaningful gaps in their defenses.
By enforcing robust DNS monitoring, reviewing egress filtering policies, and engaging directly with cloud platform security documentation, organizations can reduce the likelihood of a successful exfiltration attempt. The BeyondTrust disclosure serves as a timely reminder that even well-architected environments require continuous review as adversaries find new ways to abuse trusted infrastructure components.
The discovery highlights a significant attack vector that reinforces the need for disciplined, ongoing security practices in protecting data within AI code execution environments — particularly as enterprise adoption of cloud-based AI platforms continues to grow.
