Detections
Analytics

Ensure direct access from the internet is disabled for AWS SageMaker Notebook instances

HIGH

Description

AWS SageMaker Notebook instances allow direct internet access which may cause unauthorized access.

Remediation

Once a SageMaker Notebook Instance has been created, the networking configuration cannot be changed and a new instance will need to be created with the desired configuration. For control over a notebook instance Direct internet access, ensure that the security group is configured with an appropriate NAT gateway (see AWS documentation below). To create a new instance with the recommended settings, follow the steps below.

In AWS Console -

  1. Sign in to the AWS Console and go to SageMaker dashboard.
  2. Under Notebook select Notebook Instances.
  3. Select Create notebook instance.
  4. Under Network, set the VPC, Subnet, and Security Group appropriate.
  5. Disable Direct internet access.

In Terraform -

  1. In the aws_sagemaker_notebook_instance resource, set the direct_internet_access field to false.
  2. Set the subnet_id to the VPC ID that the instance should be connected to.
  3. Configure the security_groups field to use the security groups for the VPC network.

References:
https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html
https://aws.amazon.com/premiumsupport/knowledge-center/sagemaker-notebook-vpc-troubleshoot/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#direct_internet_access
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#subnet_id
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#security_groups

Policy Details

Rule Reference ID: AC_AWS_0424
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_sagemaker_notebook_instance
Resource Category: Analytics
Resource Type: Sagemaker

Frameworks