Cracks in the Bedrock Escaping the AWS AgentCore Sandbox#277
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Cracks in the Bedrock Escaping the AWS AgentCore Sandbox#277carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/ Content Categories: Based on the analysis, this content was categorized under "AWS Pentesting -> Post Exploitation -> AWS - Bedrock Post Exploitation (new subsection: AgentCore/Code Interpreter sandbox escape via DNS tunneling + MMDS/IMDS tokenless metadata); also cross-link from Pentesting Cloud Methodology / Egress controls bypass and from Cloud SSRF (metadata 169.254.169.254) sections". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title: Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox (Unit 42, published April 7, 2026)
What was tested (scope) and why it matters:
Unit 42 analyzed Amazon Bedrock AgentCore (GA announced late 2025) focusing on two security boundaries that cloud “sandboxes” commonly rely on: network isolation (to prevent exfiltration/C2 even if code runs) and identity/metadata isolation (to prevent credential theft via metadata services). The re...
🔧 Technical Details
DNS recursion → DNS tunneling to escape “network-isolated” sandboxes: If a sandbox blocks outbound TCP/UDP to arbitrary IPs but still allows recursive DNS resolution for arbitrary domains, DNS becomes a covert transport. Exfiltration is done by encoding data into the query name (often as Base64 in subdomains like
<data>.attacker.tld) and forcing a lookup so the attacker’s authoritative DNS server receives/logs it. Inbound control is possible by embedding commands/payload fragments in DNS responses, enabling a bidirectional C2 loop that can bypass traditional egress controls.Tokenless metadata services amplify SSRF into cloud credential theft: When a workload metadata endpoint at
169.254.169.254accepts unauthenticatedGETrequests (no IMDSv2/MMDSv2 session token requirement), any SSRF primitive can query metadata paths and retrieve temporary IAM role credentials. Once obtained, those credentials can be exfiltrat...🤖 Agent Actions
I’m mapping the repo first, then I’ll read the closest AWS, AI, SSRF, and egress-related pages before deciding where a single update fits best.
I found the likely landing zones. Next I’m reading the AWS post-exploitation index, Bedrock enum page, EC2/VPC post-exploitation material, the cloud methodology page, and metadata/SSRF-related content to avoid duplication and pick one file.
The existing
aws-bedrock-post-exploitation/README.mdis the best fit so far: it already collects Bedrock-specific post-exploitation patterns, and it keeps this AWS-managed-agent content out of generic cloud pages. I’m now checking for overlap on AgentCore/MMDS, DNS tunneling, and cloud-SSRF metadata coverage before patching one file only.I’ve confirmed the new material is missing and scoped it to a single Bedrock post-exploitation page. I’m patching that file now with the Bedrock-specific chain and references, without spreading duplicate content across methodology or SSRF pages.
Updated aws-bedrock-post-exploitation/README.md with a new AgentCore post-exploitation section covering the Bedrock-specific chain: Runtime SSRF to tokenless MMDS-style metadata access, Code Interpreter MMDS reconnaissance, sandbox DNS recursion as a DNS tunneling egress/C2 path, and the pre-signed S3 URL signer-account leak via
aws sts get-access-key-info.I kept the change in a single file because that is the best existing Bedrock-specific post-exploitation location and avoids duplicating the same technique across methodology/SSRF pages. I also updated the file’s
## Referenceswith the Unit 42 post plus current official AgentCore docs. No automated tests were run; I verified the rendered markdown section and the git diff only.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.