lacework-global-394
Launch SageMaker notebook instances in a custom Virtual Private Cloud (VPC) (Automated)
Description
Subnets are a range of IP addresses within a VPC. Best practices recommend to keep your resources inside a custom VPC whenever possible to ensure secure network protection of your infrastructure. An Amazon VPC is a virtual network dedicated to your AWS account.
With an Amazon VPC, you can control the network access and internet connectivity of your SageMaker Studio and notebook instances.
Remediation
You can not update an existing notebook instance, instead, you need to stop, delete and recreate the instance, ensuring that you specify a custom VPC.
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Machine Learning > Amazon SageMaker.
- In the left pane, expand the Notebook heading and click Notebook instances.
- Select the notebook, and click Actions > Stop.
- Once stopped, click Actions > Delete.
- After deleting, then recreate the notebook by clicking Create notebook instance.
- Configure as required, ensuring that under Network, that you specify a custom VPC.
- Click Create notebook instance.
From CLI:
First stop the notebook instance:
aws sagemaker stop-notebook-instance --notebook-instance-name <notebook_instance_name>
Once stopped, delete the notebook instance:
aws sagemaker delete-notebook-instance --notebook-instance-name <notebook_instance_name>
Finally, recreate the notebook instance as required, with direct internet access disabled:
aws sagemaker create-notebook-instance --notebook-instance-name <notebook_instance_name> --instance-type <ml_compute_instance_type> --role-arn <arn_for_assumed_role> --subnet_id <subnet_id_in_vpc> --security_group-ids <list_of_vpc_security_group_ids>
References
https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-2
https://docs.aws.amazon.com/sagemaker/latest/dg/ex1-cleanup.html