What does it mean when a protective layer meant to separate code and services can be slipped through? Security researchers at Unit 42 have laid out an unsettling set of answers: they say Amazon Bedrock AgentCore’s sandbox can be escaped, using DNS tunneling and exposing credentials in the process.
What Unit 42 reported
In a post titled "Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox," Unit 42 described discovering "critical vulnerabilities in Amazon Bedrock AgentCore's sandbox, demonstrating DNS tunneling and credential exposure." The write-up — published by Unit 42 — documents how those two techniques figured in their analysis.
The technical findings, in plain terms
Unit 42’s account centers on two concrete vectors they demonstrated: DNS tunneling and credential exposure. Those are the only technical specifics identified in the Unit 42 summary: the sandbox was subject to an escape scenario in which DNS tunneling and the exposure of credentials played central roles.
Why this matters — perspectives to consider
- Technologists: The findings, as described by Unit 42, flag questions about the integrity of sandbox boundaries and the effectiveness of current isolation controls that operators rely on.
- Policymakers and regulators: Public disclosure of sandbox-escape techniques prompts scrutiny of how cloud-hosted agent environments are governed and tested, and whether standards or expectations should shift in response.
- Users and enterprises: Unit 42’s demonstration that credential exposure occurred raises concerns for organizations that depend on sandboxed services to limit privilege and protect secrets.
- Adversaries: The disclosure of demonstrated techniques can inform defensive work but also supply a roadmap that motivated attackers could study; Unit 42’s report therefore has dual-use characteristics.
A cautious conclusion
Unit 42’s post makes a narrow but significant claim: the AgentCore sandbox, as tested, was not impermeable. The researchers documented DNS tunneling and credential exposure as elements of their escape. That combination — publicized in a respected security report — leaves practitioners and policymakers with a key question: how quickly and thoroughly will operators and vendors reassess sandbox design and defensive assumptions in light of these findings?
https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/




