Skip to main content

lacework-global-388

Amazon SageMaker notebook instances should not have direct internet access (Automated)

Description

If you configure your SageMaker instance without a Virtual Private Cloud (VPC), then your instance has direct internet access enabled by default. You should configure your instance with a VPC and change the default setting to Disable - Access the internet through a VPC. To train or host models from a notebook, you need internet access.

To enable internet access, your VPC must have either an interface endpoint (AWS PrivateLink) or a Network Address Translation (NAT) gateway and a security group that allows outbound connections. To learn more about how to connect a notebook instance to resources in a VPC, see https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html to resources in a VPC in the Amazon SageMaker Developer Guide.

You should also ensure that you limit access to your SageMaker configuration to only authorized users. Restrict Identity and Access Management (IAM) permissions that permit users to change SageMaker settings and resources.

Remediation

note

You can not update an existing notebook instance, instead, you need to stop, delete and recreate the instance, ensuring that you specify a VPC and set Direct internet access to Disable.

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Machine Learning > Amazon SageMaker.
  4. In the left pane, expand the Notebook heading and click Notebook instances.
  5. Select the notebook, and click Actions > Stop.
  6. Once stopped, click Actions > Delete.
  7. After deleting, then recreate the notebook by clicking Create notebook instance.
  8. Configure as required, ensuring that under Network, that you specify a VPC and select Disable - Access the internet through a VPC.
  9. Click Create notebook instance.

From CLI:

First stop the notebook instance:

aws sagemaker stop-notebook-instance --notebook-instance-name <notebook_instance_name>

Once stopped, delete the notebook instance:

aws sagemaker delete-notebook-instance --notebook-instance-name <notebook_instance_name>

Finally, recreate the notebook instance as required, with direct internet access disabled:

aws sagemaker create-notebook-instance --notebook-instance-name <notebook_instance_name> --direct-internet-access Disabled --instance-type <ml_compute_instance_type> --role-arn <arn_for_assumed_role>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-1
https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html
https://docs.aws.amazon.com/sagemaker/latest/dg/ex1-cleanup.html
https://docs.aws.amazon.com/sagemaker/latest/dg/howitworks-create-ws.html
https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html

Last updated on