CVE-2025-55182 (React2Shell) went public in December 2025, and organized groups started exploiting it within hours - not to break in, but to establish outbound command-and-control channels that would exfiltrate data through default-open egress. AWS's new security blog post from Meriem Smache and Maxim Raya lays out a hub-and-spoke architecture that treats outbound traffic with the same suspicion as inbound, and it applies equally to EC2 instances and agentic AI workloads running on Bedrock.
Why Outbound Default-Open Is the Real Risk
Most cloud teams focus on inbound firewalls and access policies because that's where the obvious threats live. Outbound traffic stays wide open to avoid breaking application dependencies. That default-trust model is exactly what attackers count on. The post cites the OWASP Top 10 for Agentic Applications, specifically Agent Goal Hijack (ASI01) and Unexpected Code Execution (ASI05), where a manipulated AI agent can silently exfiltrate training data or spin up reverse shells. Without egress controls, that traffic flows straight through a NAT gateway to the internet, invisible until a compliance audit or customer complaint surfaces it.
The Same Network Funnel for EC2 and AI Agents
The architecture centralizes outbound inspection through an AWS Transit Gateway that routes all internet-bound traffic from spoke VPCs through AWS Network Firewall. That firewall inspects Layers 3-7 using Suricata-compatible rules, domain filtering, geographic IP blocks, and TLS decryption - and it scales to 100 Gbps per Availability Zone. Route 53 Resolver DNS Firewall sits upstream to catch DNS tunneling, a technique that bypasses traditional firewalls by encoding data in DNS queries. The post includes a concrete VPC endpoint policy that denies S3 operations unless the target bucket belongs to your organization, using aws:ResourceOrgID. The key point: an AI agent on Bedrock inside a spoke VPC gets no special lane. Its outbound calls to external APIs go through the same domain allow-lists, the same DNS filters, and the same data perimeter policies as any EC2 instance. If an unauthorized party hijacks the agent via prompt injection, Network Firewall blocks the exfiltration destination because it isn't on the approved list.
Three Phases to Lock Down Egress
AWS recommends a phased approach. Phase 1: enable Route 53 DNS Firewall across all VPCs and activate GuardDuty for baseline threat detection. Phase 2: deploy organization-wide data perimeters (SCPs, RCPs, VPC endpoint policies) and install Network Firewall as a transit gateway-attached firewall. Phase 3: enable IAM Access Analyzer for continuous external access detection, automate remediation via EventBridge and Lambda, and centralize findings in Security Hub. The post emphasizes that detective controls like GuardDuty's Trojan:EC2/DNSDataExfiltration finding serve dual purpose: they confirm preventive layers are working when exfiltration attempts fail, and trigger incident response when they succeed.
If your organization deploys agentic AI on Bedrock without these controls, you're betting that prompt injection won't redirect a model to exfiltrate training data - a bet the OWASP Top 10 for Agentic Applications already says you'll lose.
Source: Prevent data exfiltration: AWS egress controls for cloud workloads
Domain: aws.amazon.com
Comments load interactively on the live page.