AWS - SageMaker Enum

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

• Kyk na die subscription plans!
• Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.

Diens Oorsig

Amazon SageMaker is AWS’ beheerde machine-learning platform wat notebooks, training-infrastruktuur, orkestrasie, registrasies, en beheerde endpoints bymekaar bind. ’n Kompromie van SageMaker-bronne verskaf tipies:

• Langlewendige IAM execution roles met wye toegang tot S3, ECR, Secrets Manager, of KMS.
• Toegang tot sensitiewe datastelle gestoor in S3, EFS, of binne feature stores.
• Netwerk-voete binne VPCs (Studio apps, training jobs, endpoints).
• Hoog-privilegie presigned URLs wat console authentication omseil.

Om te verstaan hoe SageMaker saamgestel is, is sleutel voordat jy pivot, persist, of exfiltrate data.

Kern Boublokke

• Studio Domains & Spaces: Web IDE (JupyterLab, Code Editor, RStudio). Elke domain het ’n gedeelde EFS file system en ’n default execution role.
• Notebook Instances: Managed EC2 instances vir standalone notebooks; gebruik aparte execution roles.
• Training / Processing / Transform Jobs: Ephemeral containers wat code van ECR en data van S3 haal.
• Pipelines & Experiments: Orkestrasie-workflows wat alle stappe, insette, en uitsette beskryf.
• Models & Endpoints: Gepakkeerde artefakte gedeploy vir inference via HTTPS endpoints.
• Feature Store & Data Wrangler: Managed services vir data-voorbereiding en feature-bestuur.
• Autopilot & JumpStart: Outomatiese ML en ’n gekuratoreerde model catalogue.
• MLflow Tracking Servers: Managed MLflow UI/API met presigned access tokens.

Elke bron verwys na ’n execution role, S3-lokasies, container images, en opsionele VPC/KMS-konfigurasie — vang almal tydens enumeration.

Rekening & Globale Metadata

REGION=us-east-1
# Portfolio status, used when provisioning Studio resources
aws sagemaker get-sagemaker-servicecatalog-portfolio-status --region $REGION

# List execution roles used by models (extend to other resources as needed)
aws sagemaker list-models --region $REGION --query 'Models[].ExecutionRoleArn' --output text | tr '	' '
' | sort -u

# Generic tag sweep across any SageMaker ARN you know
aws sagemaker list-tags --resource-arn <sagemaker-arn> --region $REGION

Neem kennis van enige cross-account trust (execution roles of S3 buckets met external principals) en grondlynbeperkings soos service control policies of SCPs.

Studio Domains, Apps & Shared Spaces

aws sagemaker list-domains --region $REGION
aws sagemaker describe-domain --domain-id <domain-id> --region $REGION
aws sagemaker list-user-profiles --domain-id-equals <domain-id> --region $REGION
aws sagemaker describe-user-profile --domain-id <domain-id> --user-profile-name <profile> --region $REGION

# Enumerate apps (JupyterServer, KernelGateway, RStudioServerPro, CodeEditor, Canvas, etc.)
aws sagemaker list-apps --domain-id-equals <domain-id> --region $REGION
aws sagemaker describe-app --domain-id <domain-id> --user-profile-name <profile> --app-type JupyterServer --app-name default --region $REGION

# Shared collaborative spaces
aws sagemaker list-spaces --domain-id-equals <domain-id> --region $REGION
aws sagemaker describe-space --domain-id <domain-id> --space-name <space> --region $REGION

# Studio lifecycle configurations (shell scripts at start/stop)
aws sagemaker list-studio-lifecycle-configs --region $REGION
aws sagemaker describe-studio-lifecycle-config --studio-lifecycle-config-name <name> --region $REGION

Wat om op te neem:

• DomainArn, AppSecurityGroupIds, SubnetIds, DefaultUserSettings.ExecutionRole.
• Gemonteerde EFS (HomeEfsFileSystemId) en S3-tuismappe.
• Lifecycle-skripte (bevat dikwels bootstrap credentials of ekstra push/pull-kode).

Tip

Presigned Studio URLs kan verifikasie omseil as dit wyd toegestaan word.

Notebook-instances & Lifecycle-konfigurasies

aws sagemaker list-notebook-instances --region $REGION
aws sagemaker describe-notebook-instance --notebook-instance-name <name> --region $REGION
aws sagemaker list-notebook-instance-lifecycle-configs --region $REGION
aws sagemaker describe-notebook-instance-lifecycle-config --notebook-instance-lifecycle-config-name <cfg> --region $REGION

Notebook-metadata openbaar:

• Uitvoeringsrol (RoleArn), direkte internettoegang vs. slegs VPC-modus.
• S3-liggings in DefaultCodeRepository, DirectInternetAccess, RootAccess.
• Lewensiklus-skripte vir credentials of persistence hooks.

Opleiding, Verwerking, Transformasie & Batch Jobs

aws sagemaker list-training-jobs --region $REGION
aws sagemaker describe-training-job --training-job-name <job> --region $REGION

aws sagemaker list-processing-jobs --region $REGION
aws sagemaker describe-processing-job --processing-job-name <job> --region $REGION

aws sagemaker list-transform-jobs --region $REGION
aws sagemaker describe-transform-job --transform-job-name <job> --region $REGION

Ondersoek:

• AlgorithmSpecification.TrainingImage / AppSpecification.ImageUri – watter ECR images ontplooi is.
• InputDataConfig & OutputDataConfig – S3-buckets, voorvoegsels, en KMS-sleutels.
• ResourceConfig.VolumeKmsKeyId, VpcConfig, EnableNetworkIsolation – bepaal netwerk- of enkripsiehouding.
• HyperParameters mag leak omgewingsgeheime of verbindingsstringe.

Pipelines, Eksperimente & Proewe

aws sagemaker list-pipelines --region $REGION
aws sagemaker list-pipeline-executions --pipeline-name <pipeline> --region $REGION
aws sagemaker describe-pipeline --pipeline-name <pipeline> --region $REGION

aws sagemaker list-experiments --region $REGION
aws sagemaker list-trials --experiment-name <experiment> --region $REGION
aws sagemaker list-trial-components --trial-name <trial> --region $REGION

Pipeline-definisies beskryf elke stap, die geassosieerde rolle, houerbeelde en omgewingsveranderlikes. Proefkomponente bevat dikwels opleidings-artefak-URIs, S3 logs, en metrieke wat op sensitiewe datavloei dui.

Modelle, Eindpuntkonfigurasies & Ontplooide Eindpunte

aws sagemaker list-models --region $REGION
aws sagemaker describe-model --model-name <name> --region $REGION

aws sagemaker list-endpoint-configs --region $REGION
aws sagemaker describe-endpoint-config --endpoint-config-name <cfg> --region $REGION

aws sagemaker list-endpoints --region $REGION
aws sagemaker describe-endpoint --endpoint-name <endpoint> --region $REGION

Fokusgebiede:

• Modelartefak S3 URIs (PrimaryContainer.ModelDataUrl) en inferensie container-beelde.
• Endpoint data capture-konfigurasie (S3 bucket, KMS) vir moontlike log exfil.
• Multi-model endpoints wat S3DataSource of ModelPackage gebruik (kontroleer vir cross-account verpakking).
• Netwerkkonfigurasies en sekuriteitsgroepe wat aan endpunte gekoppel is.

Feature Store, Data Wrangler & Clarify

aws sagemaker list-feature-groups --region $REGION
aws sagemaker describe-feature-group --feature-group-name <feature-group> --region $REGION

aws sagemaker list-data-wrangler-flows --region $REGION
aws sagemaker describe-data-wrangler-flow --flow-name <flow> --region $REGION

aws sagemaker list-model-quality-job-definitions --region $REGION
aws sagemaker list-model-monitoring-schedule --region $REGION

Sekuriteitsbelangrike punte:

• Online feature stores repliceer data na Kinesis; kyk na OnlineStoreConfig.SecurityConfig.KmsKeyId en VPC.
• Data Wrangler flows bevat dikwels ingeslote JDBC/Redshift credentials of private endpoints.
• Clarify/Model Monitor jobs voer data uit na S3 wat moontlik wêreldwyd leesbaar of vanuit ander rekeninge toeganklik is.

MLflow Tracking Servers, Autopilot & JumpStart

aws sagemaker list-mlflow-tracking-servers --region $REGION
aws sagemaker describe-mlflow-tracking-server --tracking-server-name <name> --region $REGION

aws sagemaker list-auto-ml-jobs --region $REGION
aws sagemaker describe-auto-ml-job --auto-ml-job-name <name> --region $REGION

aws sagemaker list-jumpstart-models --region $REGION
aws sagemaker list-jumpstart-script-resources --region $REGION

• MLflow tracking servers stoor eksperimente en artefakte; presigned URLs kan alles blootstel.
• Autopilot jobs laat verskeie training jobs loop — lys die uitsette vir verborge data.
• JumpStart reference architectures kan privileged roles in die rekening ontplooi.

IAM & Netwerk-oorwegings

• Lys IAM-beleid wat aan alle uitvoeringsrolle gekoppel is (Studio, notebooks, training jobs, pipelines, endpoints).
• Kontroleer netwerk-kontekste: subnets, security groups, VPC endpoints. Baie organisasies isoleer training jobs maar vergeet om uitgaande verkeer te beperk.
• Hersien S3-bucketbeleid wat in ModelDataUrl, DataCaptureConfig, InputDataConfig genoem word vir eksterne toegang.

Privilege Escalation

AWS - Sagemaker Privesc

Persistence

Aws Sagemaker Persistence

Post-Exploitation

AWS - SageMaker Post-Exploitation

Unauthorized Access

AWS - SageMaker Unauthenticated Enum

Verwysings

• AWS SageMaker Documentation
• AWS CLI SageMaker Reference
• SageMaker Studio Architecture
• SageMaker Security Best Practices

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

• Kyk na die subscription plans!
• Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.