No Way Out? C2 Through AWS Data Perimeter via Bedrock-AgentCore
Dan Gansel
fwd:cloudsec North America 2026 · Day 1
In this insightful talk from fwd:cloudsec, Dan Gansel, a security researcher at API Security, unveiled a sophisticated command and control (C2) channel that could bypass AWS's stringent Data Perimeter controls. The research, titled "No Way Out? C2 Through AWS Data Perimeter via Bedrock-AgentCore," demonstrated how a combination of an undocumented API and an intended design behavior within AWS Bedrock Agent Core could be abused to exfiltrate sensitive data and establish bidirectional C2, even in highly protected AWS environments. This talk highlights a critical challenge for cloud security: the potential for seemingly innocuous or undocumented service features to be weaponized against robust security postures.
AI review
Gansel found something real: an undocumented, unauthenticated API that, chained with an SSRF-via-design-behavior in UpdateAgentRuntime, produces a working bidirectional C2 that evades AWS Data Perimeter. The infiltration half got patched; the exfiltration half is still open because AWS called it intended behavior — which is the most interesting part of the story. Solid fwd:cloudsec-tier research on a genuinely novel attack surface.