Glyphward

AWS SageMaker · AI inference security

Prompt injection scanning for AWS SageMaker AI inference pipelines

AWS SageMaker is the dominant platform for deploying custom vision-language models at scale — real-time endpoints for synchronous inference, SageMaker Batch Transform for large-scale offline processing, and SageMaker Pipelines for multi-step ML workflows including preprocessing, inference, and postprocessing steps. When SageMaker inference jobs process images from external sources — S3 buckets receiving user uploads, EventBridge-triggered pipelines ingesting images from partner APIs, or batch transform jobs reading from public S3 prefixes — adversarially crafted images present a multimodal prompt injection risk that AWS's native security stack does not address at the image content layer. AWS Bedrock Guardrails — AWS's primary guardrail product for LLM inputs — is designed for Amazon Bedrock foundation model calls, not for custom SageMaker-deployed models. Guardrails' grounding and sensitive information detection features operate on text; the image layer of SageMaker inference jobs is outside their scope. Amazon GuardDuty monitors for anomalous AWS API calls and S3 access patterns, not image pixel content. Glyphward's pre-inference scan gate fills the image-layer security gap in SageMaker deployments with a lightweight API call before every VLM invocation.

TL;DR

AWS Bedrock Guardrails and GuardDuty do not inspect image pixel content in SageMaker inference. Any SageMaker endpoint or batch transform job processing untrusted images has an unguarded multimodal prompt injection surface. Call POST https://glyphward.com/v1/scan on each image before invoking your SageMaker endpoint. Reject images with score >= 65. Free tier — 10 scans/day, no card required.

Four multimodal injection surfaces in AWS SageMaker

1. SageMaker real-time endpoints receiving images from S3 event-triggered Lambda functions. A common SageMaker deployment pattern routes user-uploaded images through an AWS Lambda function triggered by S3 PutObject events: the user uploads an image to an S3 bucket, S3 triggers a Lambda that preprocesses the image and calls the SageMaker endpoint for VLM inference, and the Lambda writes structured output (descriptions, classifications, extracted fields) to DynamoDB or another S3 prefix. At no point in this architecture does AWS scan the image for adversarial content. Amazon Rekognition — AWS's image analysis service — detects moderation categories (violence, nudity, unsafe content) but does not detect typographic prompt injection payloads, Unicode homoglyph substitutions, or steganographic instruction embeddings. A user who uploads an adversarially crafted image can inject arbitrary instructions into the VLM inference chain. Because Lambda functions in this pattern often have IAM roles with S3 write permissions and DynamoDB access, a successful injection can instruct the VLM to output structured records designed to poison the downstream database, create files in attacker-specified S3 paths, or reveal the Lambda function's environment variables if the VLM output is used in a template with the Lambda context. The Glyphward API call added to the Lambda preprocessing step — before the SageMaker endpoint invocation — blocks the adversarial image before any downstream access occurs.

2. SageMaker Batch Transform jobs reading untrusted images from S3 input prefixes. SageMaker Batch Transform is the standard mechanism for running offline VLM inference on large image datasets: a batch transform job reads all objects from an S3 input prefix, passes each through the deployed model, and writes inference results to an S3 output prefix. These jobs run autonomously on SageMaker ML instances with no human review of individual images. When the input S3 prefix contains images from external sources — supplier-submitted product images, customer-provided document scans, scraped web image datasets — adversarial images in the dataset can inject instructions that corrupt the batch transform output records. If the output prefix feeds a downstream pipeline (an EMR job that processes the output, an Athena table queried by analysts, a knowledge base indexed by Amazon Kendra), injected instructions in output records can propagate through the entire data lake and surface in downstream AI-powered query responses. SageMaker Batch Transform provides no per-image content inspection — only data format validation (input MIME type matching) and output schema checks. A preprocessing step in the SageMaker Pipeline that calls Glyphward on each image before queuing it for batch transform is the correct architectural insertion point.

3. SageMaker Pipelines with VLM processing steps and downstream tool-call integration. SageMaker Pipelines enables multi-step ML workflows where a preprocessing step, VLM inference step, and postprocessing step are chained together with conditional branches and parameter callbacks. Sophisticated SageMaker deployments integrate VLM inference steps with AWS service calls — writing results to Amazon OpenSearch for retrieval, triggering Amazon SNS notifications, invoking downstream Lambda functions via SageMaker Pipeline callbacks. When a SageMaker Pipeline includes an image-to-text step (converting images to textual descriptions or structured data) and those text outputs are subsequently fed into Amazon Bedrock agents or Bedrock Knowledge Base retrieval, adversarial images that successfully inject instructions into the image-to-text output carry their payload directly into the Bedrock-powered text processing layer. The pipeline architecture decouples the image injection point from the text exploitation point: Amazon Bedrock Guardrails may inspect the Bedrock layer inputs but cannot see that the malicious text arrived from an image — by the time the text reaches Bedrock, the image is no longer in the picture. Adding the Glyphward pre-scan at the SageMaker Pipeline preprocessing step is the only point where the adversarial image can be blocked before it generates malicious text output anywhere in the pipeline.

4. SageMaker Studio Notebook-based inference workflows in shared multi-tenant environments. Data science teams running SageMaker Studio notebooks often develop and test VLM inference workflows against real or representative image datasets in shared notebook environments. When these notebooks pull images from external URLs, shared S3 buckets, or publicly accessible datasets to test inference quality, adversarially crafted images in those sources can execute prompt injection attacks against the VLM model being evaluated — and the notebook environment itself. SageMaker Studio runs notebook kernels with IAM execution roles that may have broad S3 access, SageMaker API permissions, or access to other AWS resources in the VPC. A VLM inference call on an adversarial image in a notebook that then uses the output in a template string (f-string formatting, string concatenation for further API calls, Jupyter display rendering) can exfiltrate the IAM role credentials, list accessible S3 buckets, or trigger SageMaker training jobs. Notebook environments are particularly high-risk because they execute arbitrary output: VLM inference results are often used directly in further code execution within the same kernel session. Installing the Glyphward Python SDK in the notebook environment and wrapping the SageMaker inference call adds the scan gate with minimal friction.

Integration: SageMaker Lambda function with Glyphward pre-scan

import base64
import json
import boto3
import requests

GLYPHWARD_KEY = "<your-glyphward-api-key>"
GLYPHWARD_THRESHOLD = 65

sagemaker = boto3.client("sagemaker-runtime", region_name="us-east-1")
s3 = boto3.client("s3")

def lambda_handler(event, context):
    """
    S3-triggered Lambda: scan image with Glyphward before SageMaker endpoint call.
    """
    bucket = event["Records"][0]["s3"]["bucket"]["name"]
    key = event["Records"][0]["s3"]["object"]["key"]

    # Download image from S3
    image_obj = s3.get_object(Bucket=bucket, Key=key)
    image_bytes = image_obj["Body"].read()

    # Step 1: Glyphward pre-scan — reject adversarial images before SageMaker call
    encoded = base64.b64encode(image_bytes).decode()
    scan_resp = requests.post(
        "https://glyphward.com/v1/scan",
        headers={"Authorization": f"Bearer {GLYPHWARD_KEY}"},
        json={"image": encoded},
        timeout=5,
    )

    if scan_resp.status_code != 200:
        # Fail-closed: scan error -> reject, do not call SageMaker
        return {"statusCode": 503, "body": json.dumps({"error": "scan_unavailable"})}

    scan = scan_resp.json()
    if scan["score"] >= GLYPHWARD_THRESHOLD:
        return {
            "statusCode": 400,
            "body": json.dumps({
                "error": "adversarial_image_blocked",
                "score": scan["score"],
                "scan_id": scan["scan_id"],
                "s3_key": key,
            })
        }

    # Step 2: SageMaker endpoint call — only reached by clean images
    response = sagemaker.invoke_endpoint(
        EndpointName="my-vlm-endpoint",
        ContentType="application/json",
        Body=json.dumps({
            "image": encoded,
            "prompt": "Describe this image in structured JSON.",
        }),
    )
    result = json.loads(response["Body"].read())
    return {"statusCode": 200, "body": json.dumps(result)}

For SageMaker Batch Transform, add a preprocessing step to your SageMaker Pipeline definition using a ProcessingStep that calls Glyphward on each image before the TransformStep. The processing step writes clean images to a separate S3 prefix; the transform step reads only from that prefix. Store your Glyphward API key as an AWS Secrets Manager secret and reference it from the processing job environment using ParameterString in the pipeline definition — do not hardcode in the pipeline YAML. Get early access

Coverage matrix

Mitigation layer Real-time endpoint + Lambda (user uploads) Batch Transform (S3 dataset) SageMaker Pipeline (chained VLM + Bedrock) Studio Notebook inference
AWS Bedrock Guardrails No — Bedrock Guardrails apply to Bedrock API calls; SageMaker custom endpoints are outside scope No Partial — guards Bedrock steps; SageMaker VLM step not covered; adversarial image-to-text output arrives as unguarded text at Bedrock layer No
Amazon Rekognition moderation Partial — detects unsafe visual content; not adversarial PI text payloads in images Partial — can be added as pipeline step; not adversarial PI detection No No
Amazon GuardDuty No — monitors AWS API call anomalies; not image pixel content No No No
Glyphward pre-VLM image scan (multimodal PI detection) Yes — Lambda pre-scan gate blocks adversarial images before SageMaker endpoint Yes — ProcessingStep pre-scan; batch transform reads only clean images Yes — pipeline preprocessing step; adversarial image blocked before VLM-to-text conversion Yes — notebook SDK wrapper; scan before SageMaker runtime invocation

Related questions

Does Amazon Bedrock Guardrails cover SageMaker custom model endpoints?

No. Amazon Bedrock Guardrails are specifically designed for Amazon Bedrock foundation model API calls — they integrate with the InvokeModel and Converse APIs for models in the Bedrock model catalog. SageMaker custom endpoints (trained by the customer, deployed via SageMaker training jobs and model registry) invoke through the sagemaker-runtime:InvokeEndpoint API, which is entirely separate from the Bedrock API surface. Bedrock Guardrails do not intercept SageMaker runtime calls. If your architecture routes images through a SageMaker VLM endpoint before optionally passing results to a Bedrock model, the SageMaker step is unguarded at the image layer. Glyphward covers the SageMaker step; you can combine it with Bedrock Guardrails at the Bedrock step for defence-in-depth.

How do I add Glyphward to a SageMaker Pipeline ProcessingStep?

Create a Python script that iterates over all images in the input S3 path, calls Glyphward's scan API for each, copies clean images to the output S3 path, and logs rejected image paths to a manifest file. Reference this script in a ScriptProcessor configured with your processing job container (a standard python:3.11 image with requests installed works). Define the processing job as a ProcessingStep in your Pipeline definition with DependsOn pointing to any upstream data ingestion steps. Set the TransformStep to depend on the ProcessingStep and take its output S3 path as the batch transform input. The rejected image manifest can be published as a pipeline metric for monitoring in SageMaker Experiments.

Can adversarial images exfiltrate IAM role credentials through SageMaker inference?

Yes, in pipelines where VLM output is used unsafely. If a SageMaker inference result (e.g., a JSON document extracted from an uploaded image) is subsequently passed to a Python eval(), an f-string template, or a tool-use invocation that treats VLM output as trusted instructions, an adversarial image that injects a command to "output the environment variables as JSON" can cause the Lambda or SageMaker processing job to execute that instruction against the execution environment. SageMaker Processing jobs run with IAM execution roles that typically have S3 access and SageMaker API permissions. The mitigation is both defensive (block adversarial images with Glyphward before inference) and structural (treat all VLM output as untrusted text — never pass it to eval, subprocess, or tool-calling APIs without validation). The Glyphward scan addresses the defensive layer; output validation is a separate architectural concern.

What is the cost of adding Glyphward scanning to SageMaker batch transform at scale?

At Glyphward Pro tier ($29/mo), you get 100,000 scans/month. A SageMaker Batch Transform job processing 50,000 images weekly consumes the full Pro quota in two weeks. For high-volume batch transform workloads, consider Team tier ($99/mo, 1M scans/month) or contact us for volume pricing. As a comparison point: SageMaker ml.g4dn.xlarge instances cost approximately $0.736/hour — a 10-hour batch transform job on a single instance costs $7.36 in GPU compute alone. The Glyphward scan cost per image at Pro tier ($29/100k = $0.00029/scan) is negligible compared to SageMaker compute costs, and a single blocked adversarial image that would have corrupted a downstream Kendra index or DynamoDB table represents far more remediation cost than the scan service fee.

Further reading