Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox

Palo Alto Networks Unit 42 research demonstrates that Amazon Bedrock AgentCore’s Code Interpreter sandbox mode could be bypassed using DNS tunneling to exfiltrate data and that the AgentCore Runtime’s microVM Metadata Service (MMDS) accepted unauthenticated metadata requests (MMDSv1-like behavior), enabling credential retrieval; the report includes PoC steps, impact analysis, disclosure timeline, and mitigation guidance from AWS.