AWS’ promise of “complete isolation” for agentic AI workflows on Bedrock is facing scrutiny after researchers found its sandbox mode isn’t as sealed as advertised. In a recent disclosure, BeyondTrust detailed how the “Sandbox” mode in AWS Bedrock AgentCore’s Code Interpreter can be abused to break isolation boundaries using DNS queries. While the sandbox blocks most outbound traffic, it still allows DNS queries for A and AAAA records, potentially allowing attackers to establish a covert communication channel, leading to data exfiltration and remote command execution. “AWS Bedrock’s sandbox isolation failed at the most fundamental layer, DNS, and the lesson isn’t that AWS shipped a bug, it’s ...