AWS Bedrock attack vectors
Researchers published multiple attack vectors inside AWS Bedrock, detailing eight exploitable patterns that make secure inference deployments a material concern. Those findings create an opening to compare hardened deployment patterns and vendor support for production models. (thehackernews.com)
XM Cyber’s threat research team published a technical attack-path mapping that shows Bedrock integrations can be chained to reach enterprise services such as Salesforce, AWS Lambda, SharePoint, Pinecone-style vector stores, Redis, Amazon Aurora and Redshift. (thehackernews.com (thehackernews.com)) BeyondTrust’s Phantom Labs disclosed on March 16, 2026 that the AWS Bedrock AgentCore Code Interpreter “Sandbox” network mode permits outbound DNS queries, enabling covert command‑and‑control channels and data exfiltration. (beyondtrust.com (beyondtrust.com)) Researchers demonstrated a proof‑of‑concept that the sandbox behavior can be abused to query the instance metadata service at 169.254.169.254 to steal IAM credentials and then read S3 buckets, Secrets Manager entries and DynamoDB tables. (firstpasslab.com (firstpasslab.com)) Multiple security outlets reported the AgentCore sandbox issue with a CVSS v3 severity around 7.5 and described attackers gaining interactive shells or remote command execution by encoding traffic inside DNS A/AAAA lookups. (csoonline.com (csoonline.com)) AWS documentation and Bedrock guidance state the Code Interpreter “Sandbox” offers limited external network access and explicitly allows DNS resolution and S3 access, while AWS also promotes Bedrock Guardrails as configurable safeguards for production model deployments. (aws.amazon.com (aws.amazon.com); firstpasslab.com (firstpasslab.com)) XM Cyber announced product updates on March 17, 2026 that add AI‑specific visibility, validated attack‑path mapping and governance controls to its Continuous Exposure Management Platform in direct response to AI‑layer exposure research. (xmcyber.com (xmcyber.com)) Operational mitigations published by Phantom Labs and network engineering guides include enforcing least‑privilege IAM for interpreter roles, running AgentCore workloads in VPC‑only configurations, and deploying DNS inspection/tunneling detection to block covert exfiltration channels. (beyondtrust.com (beyondtrust.com); firstpasslab.com (firstpasslab.com))
