lacework-global-389
Users should not have root access to SageMaker notebook instances (Automated)
Description
In adherence to the principal of least privilege, it is a recommended security best practice to restrict root access to instance resources to avoid unintentionally over provisioning permissions.
Remediation
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Machine Learning > Amazon SageMaker.
- In the left pane, expand the Notebook heading and click Notebook instances.
- Select the notebook, and click Actions > Update settings.
- Under Permissions and encryption, set Root access to Disable.
- Click Update notebook instance.
From CLI:
Update the notebook instance to remove root access:
aws sagemaker update-notebook-instance --notebook-instance-name <notebook-instance-name> --root-access Disabled
References
https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-3
https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access.html