Skip to main content

lacework-global-389

Users should not have root access to SageMaker notebook instances (Automated)

Description

In adherence to the principal of least privilege, it is a recommended security best practice to restrict root access to instance resources to avoid unintentionally over provisioning permissions.

Remediation

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Machine Learning > Amazon SageMaker.
  4. In the left pane, expand the Notebook heading and click Notebook instances.
  5. Select the notebook, and click Actions > Update settings.
  6. Under Permissions and encryption, set Root access to Disable.
  7. Click Update notebook instance.

From CLI:

Update the notebook instance to remove root access:

aws sagemaker update-notebook-instance --notebook-instance-name <notebook-instance-name> --root-access Disabled

References

https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-3
https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access.html

Last updated on