Once a SageMaker Notebook Instance has been created, the networking configuration cannot be changed and a new instance will need to be created with the desired configuration. For control over a notebook instance Direct internet access, ensure that the security group is configured with an appropriate NAT gateway (see AWS documentation below). To create a new instance with the recommended settings, follow the steps below.

In AWS Console -

Sign in to the AWS Console and go to SageMaker dashboard.
Under Notebook select Notebook Instances.
Select Create notebook instance.
Under Network, set the VPC, Subnet, and Security Group appropriate.
Disable Direct internet access.

In Terraform -

In the aws_sagemaker_notebook_instance resource, set the direct_internet_access field to false.
Set the subnet_id to the VPC ID that the instance should be connected to.
Configure the security_groups field to use the security groups for the VPC network.

References:
https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html
https://aws.amazon.com/premiumsupport/knowledge-center/sagemaker-notebook-vpc-troubleshoot/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#direct_internet_access
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#subnet_id
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#security_groups

ID	Name	CSP	Domain	Severity
AC_AWS_0425	Ensure root access is disabled for AWS SageMaker Notebook instances	AWS	Security Best Practices	HIGH
AC_AWS_0384	Ensure data encryption is enabled for AWS SageMaker Notebook instances	AWS	Data Protection	HIGH
AC_AWS_0424	Ensure direct access from the internet is disabled for AWS SageMaker Notebook instances	AWS	Data Protection	HIGH

Detections

Analytics

Tenable Cloud Security Policies Search

HIGH

HIGH

HIGH