Academy Labs/MLOps Platform Security Lab

AIPSA Academy Lab40 minPractitionerDefend

MLOps Platform Security Lab

Audit a realistic MLOps stack — notebook server, model registry, and inference API — for credential exposure, overprivileged IAM, secrets in CI pipelines, and unprotected model artifacts. Produce a platform hardening recommendation.

Build evidence

Progress

0/100 points

Status

not-started

Steps

0/4

Mission

Primary objective

Analyze all four fixtures for the MLOps stack. For each: identify the specific vulnerability, determine blast radius if exploited, and recommend a targeted control. Produce a hardening summary ordered by severity.

Brief

Scenario

AI platform security audit

Your organization runs a self-hosted MLOps stack: JupyterHub for experimentation, MLflow for experiment tracking and the model registry, a GitHub Actions pipeline for training runs, and a FastAPI inference service behind an internal load balancer. A security review flagged four artifacts for investigation: a Jupyter notebook with AWS credential output, a GitHub Actions workflow file, the MLflow model registry configuration, and the inference API's IAM role policy. You must assess each for security gaps and prioritize remediation.

Objectives

Identify how notebook environments expose credentials through environment variables, cell outputs, and git commits.
Recognize overprivileged IAM roles attached to model training jobs and inference services.
Find secrets leaking through CI/CD pipelines: hardcoded API keys, unscoped service accounts, and artifact signing gaps.
Assess model registry access controls — who can push, pull, approve, and promote model artifacts.
Produce a platform hardening recommendation covering the full training-to-inference path.

Prerequisites

Understand basic cloud IAM concepts (roles, policies, service accounts).
Know what a model registry does and how model artifacts are versioned and promoted.
Review how CI/CD pipelines are typically used for ML model training and deployment.

Expected signals

credential in notebook output
overprivileged training job role
CI secret in plaintext
unauthenticated model registry
inference API least-privilege gap
missing artifact signing

Prepare

Reading materials

AIPSA Field Guide · Ch 7 · Ch 7

MLOps Platform Security

Security of notebooks, experiment tracking, model registries, pipelines, GPUs, containers, inference services, cloud IAM, secrets, and CI/CD for AI platforms.

~2 MB

Checking…

Do not rebuild

Reusable source assets

fixturestatic/read-only

Jupyter notebook with credential output

A training notebook that prints AWS credentials via boto3 output in cell 7. The credentials have overly broad IAM permissions and are committed to version control via Jupyter's auto-save.

llm-attack-range/ai-security-range/fixtures/mlops/notebook-credential-leak.ipynb

fixturestatic/read-only

GitHub Actions training workflow

A GitHub Actions workflow for model training that stores the MLflow tracking URI and AWS secret key as plaintext env vars in the workflow file rather than using GitHub Secrets.

llm-attack-range/ai-security-range/fixtures/mlops/training-pipeline.yml

fixturestatic/read-only

MLflow model registry configuration

MLflow server configuration showing the artifact store is an S3 bucket with a public-read ACL, authentication disabled on the tracking server, and no approval gate before Production stage transitions.

llm-attack-range/ai-security-range/fixtures/mlops/mlflow-config.json

fixturestatic/read-only

Inference API IAM role policy

IAM role policy attached to the inference service. Grants s3:GetObject on *, ec2:DescribeInstances, iam:ListRoles, and logs:CreateLogGroup — far more than needed to serve model predictions.

llm-attack-range/ai-security-range/fixtures/mlops/inference-iam-policy.json

Sample inputs

Notebook cell 7 output (credential leak) · code

This output is persisted in the .ipynb JSON and will be committed to the repository unless cells are cleared before commit. The credentials have AdministratorAccess attached.

# Cell 7 output — boto3 client instantiation
import boto3
session = boto3.Session()
credentials = session.get_credentials().get_frozen_credentials()
print(f"Access key: {credentials.access_key}")
print(f"Secret: {credentials.secret_key}")
# Output:
# Access key: AKIAIOSFODNN7EXAMPLE
# Secret: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Inference IAM policy (overprivileged) · json

Minimum required: s3:GetObject on the specific model artifact bucket/prefix. The ec2 and iam actions are completely unnecessary for inference and create significant lateral movement risk.

{
  "Version": "2012-10-17",
  "Statement": [
    { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*" },
    { "Effect": "Allow", "Action": ["ec2:DescribeInstances", "ec2:DescribeVpcs"], "Resource": "*" },
    { "Effect": "Allow", "Action": ["iam:ListRoles", "iam:GetRole"], "Resource": "*" },
    { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "*" }
  ]
}

Track progress

Lab steps

Audit the notebook for credential exposure

Review the notebook credential-leak fixture. Identify: (1) how the credential reached a cell output, (2) why this is dangerous beyond just the current IAM permissions, (3) what git-level protections would prevent this from being committed, and (4) the correct pattern for accessing AWS services from a notebook environment without long-lived credentials.

Evidence prompt: Describe the credential exposure vector, the blast radius with AdministratorAccess, and two controls: pre-commit hook approach and IAM role approach.

Audit the CI pipeline for secret hygiene

Review the GitHub Actions workflow file. Identify all hardcoded secrets and environment variables that should be GitHub Secrets or OIDC-based short-lived credentials. For each: explain why the current approach is dangerous (rotation friction, log exposure, fork exposure) and provide the corrected workflow snippet.

Evidence prompt: List each exposed value, its risk, and the corrected YAML approach (GitHub Secret reference or OIDC block).

Assess the model registry security posture

Review the MLflow configuration fixture. Identify: (1) the impact of a public-read artifact S3 bucket, (2) what an unauthenticated tracking server allows an attacker to do, and (3) why no approval gate before Production transitions is a model integrity risk. Recommend specific MLflow configuration changes.

Evidence prompt: For each finding: current config → risk → recommended config change.

Apply least privilege to the inference IAM role

The inference API only needs to load a model artifact from S3 and write logs. Rewrite the IAM policy to least-privilege scope. Then produce the hardening summary: all four findings ordered by severity (Critical / High / Medium / Low) with one recommended control per finding.

Evidence prompt: Provide the least-privilege IAM policy JSON and the four-finding hardening summary with severity and control.

Submission draft

Evidence artifact builder

MLOps Platform Security Assessment

Document findings across the training, registry, CI, and inference surfaces. Severity ratings drive remediation priority.

Critical / High findings*

Least-privilege IAM policy for inference service*

CI pipeline secret remediation*

Model registry hardening steps*

Hardening recommendation summary

Reference

Framework mappings

OWASP LLM Top 10

LLM03 · Training Data Poisoning

NIST AI RMF

MANAGE · AI risk management and control

MITRE ATLAS

AML.T0010 · ML Supply Chain Compromise

ISO 42001

8.4 · AI system operation and monitoring

Self-assessment

Scoring checklist

Score estimate: 0/100

Correctly identifies the notebook credential exposure vector (20 pts)Must explain how cell output is persisted in .ipynb JSON and how pre-commit hooks or IAM role substitution prevents it. Generic 'don't print secrets' answers are insufficient.Produces correct CI secret remediation with OIDC or Secrets reference (20 pts)Must reference GitHub Secrets syntax (${{ secrets.NAME }}) or OIDC short-lived credential block. Plaintext redaction alone doesn't count.Identifies all three registry gaps: public S3, no auth, no approval gate (20 pts)Must find all three issues in the MLflow config fixture, not just one. Partial credit for two of three.Produces a correct least-privilege IAM policy for the inference role (25 pts)Policy must restrict to s3:GetObject on the specific bucket/prefix only. Must remove the ec2, iam, and logs wildcard actions.Delivers a prioritized hardening summary with severity ratings (15 pts)All four findings must have a severity rating (Critical/High/Medium/Low) and one concrete control per finding.

Explore

Related tools

AI Control Crosswalk

Map MLOps security gaps to NIST AI RMF MANAGE and ISO 42001 8.4 controls.

AIPSA Scorecard

Review the MLOps and Platform Security domain controls in the AIPSA framework.

Ecosystem tools

ModelScan

Model artifact scanning and supply-chain validation.

Open Policy Agent

Policy enforcement for platform and deployment controls.

Sigstore

Artifact signing and provenance for platform security.

Export

Submit or export your lab evidence

Save a local progress draft, submit the self-scored artifact, or export Markdown for evidence portfolio use.

Continue the AIPSA lab path

Supply Chain Security AI Inventory & Boundaries

← Back to Academy Labs