Security Flaw in AWS Bedrock Code Interpreter Raises Alarms

The rise of agentic AI services like AWS Bedrock’s Code Interpreter has introduced a new attack surface where code execution and cloud infrastructure intersect. While sandbox modes are marketed as safe environments, they often retain minimal network functions such as DNS resolution. This residual capability can be weaponized, allowing malicious payloads to establish covert channels without triggering traditional outbound‑traffic alerts. Understanding the nuances of these built‑in services is essential for security teams tasked with protecting AI‑enhanced workloads.

Phantom Labs’ proof‑of‑concept illustrates how a crafted CSV file can inject Python code that leverages DNS queries to retrieve commands and exfiltrate data. The technique bypasses the sandbox’s network restrictions, enumerates Amazon S3 buckets, reads Secrets Manager entries, and even extracts raw file contents. The risk escalates dramatically when the interpreter inherits overly permissive IAM roles—such as the default AgentCore Starter Toolkit role—which grant broad access to DynamoDB, Secrets Manager, and all S3 resources. In such configurations, a single compromised interpreter instance can become a gateway to an organization’s most sensitive assets.

AWS’s stance that the observed behavior is “intended” rather than a vulnerability shifts responsibility to customers. The recommended mitigation—migrating high‑value workloads from Sandbox to VPC mode—adds network isolation but also demands rigorous inventory management and role‑based access controls. As AI agents gain more autonomy, cloud providers and enterprises must rethink perimeter security, treating DNS resolution as a potential exfiltration vector and enforcing least‑privilege IAM policies. Proactive monitoring, strict role hygiene, and architecture‑level segmentation will be critical to preventing similar exploits in the evolving AI‑cloud landscape.