AWS Warns Outbound Traffic Blind Spots Can Enable Cloud Data Exfiltration
8 min. read 
Published on
AWS has warned that organizations may be leaving a major cloud security gap open by focusing too heavily on inbound defenses while giving outbound traffic less attention.
In a June 22, 2026 AWS Security Blog post, the company said cloud workloads can become data theft channels if internet-bound traffic leaves a virtual private cloud without inspection, filtering, or identity-based guardrails.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The guidance applies to traditional cloud workloads and newer agentic AI systems. AWS said attackers who compromise an instance, application, or AI agent may try to send sensitive data to external servers, attacker-controlled storage, command-and-control infrastructure, or DNS channels.
Outbound traffic is often weaker than inbound defense
Most cloud security programs prioritize what comes into the environment. Teams deploy firewalls, web application firewalls, access controls, and identity protections to block obvious external threats.
Outbound traffic can receive less scrutiny because many applications need to call external APIs, download updates, reach software repositories, or connect to business services. To avoid breaking those dependencies, teams may leave broad internet access open by default.
That creates a blind spot. If an attacker gains code execution inside a workload, the next step is often outbound communication. Without egress controls, stolen data can leave through HTTPS, DNS, storage APIs, or other normal-looking traffic.
| Outbound risk | How it can be abused | AWS control highlighted |
|---|---|---|
| Open internet egress | Compromised workloads send data to unauthorized destinations | AWS Network Firewall |
| DNS tunneling | Attackers encode stolen data inside DNS queries | Route 53 Resolver DNS Firewall |
| Stolen credentials | Attackers copy data to storage in another AWS account | Data perimeter policies and VPC endpoint policies |
| Agentic AI misuse | Manipulated agents call external tools or endpoints | Domain allow-lists and network inspection |
| Missed detection | Suspicious egress blends into normal traffic | GuardDuty, Security Hub, IAM Access Analyzer |
React2Shell shows why fast egress control matters
AWS used CVE-2025-55182, known as React2Shell, as one example of how attackers can move quickly after gaining code execution. The vulnerability affected React Server Components and enabled unauthenticated remote code execution in vulnerable applications.
In a separate AWS React2Shell analysis, Amazon threat intelligence teams said they saw exploitation attempts within hours of public disclosure by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.
Once attackers gain remote code execution, outbound access becomes critical. If the workload can freely connect to the internet, attackers may fetch payloads, open command-and-control channels, or copy secrets and application data out of the environment.
DNS tunneling can bypass normal inspection
AWS also highlighted DNS as a common exfiltration path. DNS traffic is essential for normal application behavior, so teams may not inspect it as closely as web traffic.
Attackers can abuse that trust by encoding stolen data inside DNS queries sent to domains they control. Standard network inspection may miss this because DNS queries through a VPC resolver do not always pass through the same outbound firewall path as other internet traffic.
The AWS egress controls guidance recommends Route 53 Resolver DNS Firewall across VPCs, including managed domain lists and DNS Firewall Advanced features for detecting DNS tunneling, domain generation algorithms, and other suspicious DNS patterns.
Agentic AI creates new outbound data paths
The same egress problem now applies to AI agents. Agentic AI systems may browse websites, call APIs, run code, retrieve documents, or interact with external tools as part of normal work.
AWS previously explained in its domain control guidance for AI agents that security teams increasingly need to restrict which domains agents can reach, especially when prompt injection could push an agent toward unintended destinations.
The risk also matches concerns listed in the OWASP Top 10 for Agentic Applications. OWASP includes Agent Goal Hijack and Unexpected Code Execution among key agentic AI risks, both of which can lead to unauthorized actions or data movement.
- AI agents may need outbound access to tools and APIs.
- Prompt injection can redirect agents toward unintended goals.
- Code execution tools can turn natural-language instructions into real commands.
- Broad allow rules can let manipulated agents contact unapproved destinations.
- Network filtering helps control what leaves the environment, even when the agent is tricked.
AWS recommends layered egress controls
AWS said egress security should not depend on one product or policy. The recommended approach combines network filtering, DNS filtering, data perimeters, detection, and automated response.
AWS Network Firewall can inspect outbound traffic, enforce approved destinations, block unauthorized domains, restrict ports and protocols, apply threat intelligence, and inspect some encrypted traffic when configured for TLS decryption.
For agentic workloads, the AWS AI agent filtering guidance recommends domain-based controls using AWS Network Firewall so agent browser traffic can go only to approved destinations, with logging for audit and security review.
Data perimeters can limit stolen credential abuse
Outbound security does not stop at the network layer. AWS also points to data perimeters as a way to restrict what identities and workloads can access through AWS service APIs.
This matters when attackers steal valid credentials. Without guardrails, a compromised identity may copy data to a bucket in another account or interact with resources outside the organization.
AWS recommends using service control policies, resource control policies, and VPC endpoint policies to narrow access. For example, VPC endpoint policies can restrict S3 access so workloads can interact only with buckets that belong to the same organization.
Detection still matters after prevention
Preventive controls reduce the chance of data leaving the environment, but detection helps teams find what slipped through or what attackers attempted.
AWS points to Amazon GuardDuty for egress-related findings, including DNS-based data exfiltration, malicious S3 activity, and multi-stage attack sequence correlation. It also recommends AWS Security Hub for central correlation and IAM Access Analyzer for finding external access paths.
The company also recommends automation through EventBridge and Lambda. That can help update firewall deny rules, add DNS block list entries, revoke credentials, quarantine resources, and alert responders faster than manual processes alone.
What cloud teams should do now
Security teams should first map which workloads have unrestricted outbound access. They should then identify which external domains, APIs, repositories, and storage services each workload truly needs.
From there, teams can move toward allow-lists, DNS filtering, VPC endpoint policies, and centralized inspection. AWS suggests starting with quick wins such as Route 53 Resolver DNS Firewall and GuardDuty, then expanding into data perimeters, Network Firewall, IAM Access Analyzer, Security Hub, and automated remediation.
The AWS React2Shell report also reinforces a wider lesson: once a public exploit appears, attackers can move fast. Patching remains critical, but egress controls can reduce damage when a vulnerability is exploited before teams fully recover.
Outbound visibility is now part of cloud resilience
The AWS guidance shows that cloud security needs to treat outbound traffic as a first-class security concern. Blocking inbound attacks matters, but it does not stop data theft after a workload has already been compromised.
The same logic applies to AI agents. A manipulated agent running inside a VPC should face the same approved destinations, DNS rules, and data access limits as any other workload.
As the OWASP Agentic Applications framework makes clear, agentic systems introduce new ways for attackers to misuse tools, goals, and code execution. AWS’s message is practical: put egress under control before outbound blind spots become data loss paths.
FAQ
AWS warned that organizations may overlook outbound traffic controls in cloud environments, creating blind spots that attackers can use for data exfiltration, command-and-control traffic, or unauthorized access to external resources.
Outbound traffic becomes dangerous when compromised workloads can freely connect to the internet. Attackers can use that access to send stolen data to external servers, abuse DNS tunneling, copy data to outside storage, or download additional malware.
DNS tunneling hides data inside DNS queries sent to attacker-controlled domains. Because DNS traffic is necessary for normal operations and may bypass standard firewall paths, it can become a quiet channel for sending data out of a cloud environment.
AI agents often need to browse, call APIs, run code, or use external tools. If attackers manipulate an agent through prompt injection or unsafe code execution, broad outbound access can let the agent send sensitive data to unapproved destinations.
AWS recommends layered controls such as AWS Network Firewall, Route 53 Resolver DNS Firewall, service control policies, resource control policies, VPC endpoint policies, Amazon GuardDuty, AWS Security Hub, IAM Access Analyzer, and automated response through EventBridge and Lambda.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages