TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Palo Alto Unit 42

Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox

Ori Hadad · 2026-04-07 · Read original ↗

ATT&CK techniques detected

21 predictions
T1071.004DNS
99%
“might permit recursive dns queries to arbitrary public domains. proof of concept : exploiting the dns egress vector this sandbox design reveals a channel for data exfiltration : dns tunneling. even in environments where direct internet access is severed, the ability to resolve ar…”
T1572Protocol Tunneling
98%
“security assessment - the unit 42 cloud security assessment if you think you might have been compromised or have an urgent matter, contact the unit 42 incident response team. investigation overview : scope, methodology and key findings our investigation focused on the code interp…”
T1572Protocol Tunneling
95%
“data – is logged. figure 3 details the poc script. upon execution, our authoritative nameserver immediately received the query, confirming that the data had successfully traversed the sandbox boundary, as shown in figure 4. finally, as shown in figure 5, performing a whois lookup…”
T1572Protocol Tunneling
95%
“of the dns resolution capability through incremental testing and discovered a channel for data exfiltration : dns tunneling. watching our dns server logs, we saw the query arrive instantly, establishing a covert bi - directional channel out of the sandbox. we had successfully tur…”
T1525Implant Internal Image
94%
“- nov. 18, 2025 – aws security team responded that they are investigating. - dec. 14, 2025 – aws security team reached out for more details. - jan. 28, 2026 – aws security team provided clarifications regarding our findings and commitment for internal remediations. - feb. 14, 202…”
T1552.005Cloud Instance Metadata API
94%
“our environmental reconnaissance by investigating the microvm architecture and mmds accessibility. in modern aws ec2 environments, accessing metadata usually defaults to imdsv2 ( although imdsv1 is not actually disabled by default ), which mandates a session token ( http put requ…”
T1552.005Cloud Instance Metadata API
91%
“is an intended feature, this same configuration primarily simplifies the retrieval of credentials and does not function as a vulnerability in itself, regardless of whether v1 or v2 mmds protocols are used. with credential access confirmed locally, our investigation shifted to the…”
T1572Protocol Tunneling
89%
“cracks in the bedrock : escaping the aws agentcore sandbox executive summary when researching the boundaries of cloud services, two of the main aspects that come to mind are network and identity. in this two - part series, we present our research into the boundaries and resilienc…”
T1525Implant Internal Image
87%
“, which helps to provide comprehensive visibility and posture management for ai agents across aws and azure environments. cortex ai - spm is designed to mitigate critical risks, including over - privileged ai agent access, misconfigurations and unauthorized data exposure. cortex …”
T1525Implant Internal Image
86%
“signaturedoesnotmatch error. this server error message includes the awsaccesskeyid of the signing identity, as figure 7 shows. after extracting this key id, we used the aws security token service ( sts ) command - line interface to show information about the key id : the response…”
T1059Command and Scripting Interpreter
83%
“services : the code interpreter tool and the agentcore runtime. agentcore code interpreter is one of several built - in tools for ai agents, designed specifically to execute code, often generated dynamically by large language models ( llms ). the service supports three network co…”
T1525Implant Internal Image
78%
“in response to our research regarding the s3 pre - signed urls and metadata exposure, aws confirmed that this represents expected behavior. the access keys and account ids are part of the backend infrastructure, do not belong to customer accounts, and the pre - signed urls are na…”
T1525Implant Internal Image
71%
“##box mode. our discovery showed that this isolation is incomplete. we outline the steps we took to identify the sandbox bypass. we also identified a critical security regression where the agentcore runtime utilized a microvm metadata service ( mmds ) that lacks session token enf…”
T1572Protocol Tunneling
68%
“aws documentation - understanding credentials management in amazon bedrock agentcore – aws documentation - what is dns tunneling? – palo alto networks - when an attacker meets a group of agents : navigating amazon bedrock ' s multi - agent applications – unit 42 - aws imdsv1 vuln…”
T1572Protocol Tunneling
68%
“cloud provider offers less isolation than anticipated. our research shows that cloud providers sometimes use customer - facing features to enable capabilities like log collection, and accept the risk inherent in this setup. by chaining together dns tunneling and the legacy mmdsv1…”
T1613Container and Resource Discovery
64%
“making it a central pillar of the agent architecture. to fully understand the risks of escaping the sandbox mode or abusing the runtime environment, we first needed to understand how their underlying metadata is managed. both services operate on ephemeral microvms, which are ligh…”
T1572Protocol Tunneling
62%
“can receive instructions or payloads from the attacker ' s server in the form of dns response. this effectively enables a full c2 loop over dns. to summarize so far, this capability is particularly dangerous in the context of identity. because users trust the " sandbox " guarante…”
T1552.005Cloud Instance Metadata API
62%
“##box mode. our discovery showed that this isolation is incomplete. we outline the steps we took to identify the sandbox bypass. we also identified a critical security regression where the agentcore runtime utilized a microvm metadata service ( mmds ) that lacks session token enf…”
T1525Implant Internal Image
52%
“that code executing within the code interpreter ( or agentcore runtime ) can query these paths to retrieve a valid s3 pre - signed url and a corresponding kms key id. the returned url targets an internal, aws - controlled s3 bucket, as displayed in figure 6. scoped s3 objectwrite…”
T1583.002DNS Server
45%
“might permit recursive dns queries to arbitrary public domains. proof of concept : exploiting the dns egress vector this sandbox design reveals a channel for data exfiltration : dns tunneling. even in environments where direct internet access is severed, the ability to resolve ar…”
T1090.002External Proxy
41%
“list or a transparent proxy designed to facilitate specific aws service interactions. this observation directed our analysis to the foundation of the network stack : dns. phase 3 : the great escape to validate our hypothesis of the network ’ s permeability, we executed a series o…”

Summary

Unit 42 uncovers critical vulnerabilities in Amazon Bedrock AgentCore's sandbox, demonstrating DNS tunneling and credential exposure.

The post Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox appeared first on Unit 42.