Best practice rules for Amazon SageMaker
- Amazon SageMaker Notebook Instance In VPC
Ensure that Amazon SageMaker notebook instances are deployed into a VPC.
- Check for Missing Execution Role
Ensure that SageMaker notebook instances are referencing active execution roles.
- Disable Direct Internet Access for Notebook Instances
Ensure that direct internet access is disabled for SageMaker Studio notebook instances.
- Disable Root Access for SageMaker Notebook Instances
Ensure that root access is disabled for Amazon SageMaker notebook instances.
- Enable Data Capture for SageMaker Endpoints
Ensure that SageMaker endpoints are configured to capture log data useful for training, debugging, and monitoring.
- Enable Inter-Container Traffic Encryption
Ensure that inter-container traffic encryption is enabled for your SageMaker training jobs.
- Enable Network Isolation for SageMaker Models
Ensure that network isolation is enabled for your SageMaker models to prevent unauthorized access.
- Enable Network Isolation for SageMaker Training Jobs
Ensure that network isolation is enabled for your SageMaker training jobs to prevent unauthorized access.
- Enable SageMaker Notebook Instance Data Encryption (Deprecated)
Ensure that data available on Amazon SageMaker notebook instances is encrypted.
- Enable VPC Only for SageMaker Domains
Enable and configure "VPC Only" mode for added security control of your SageMaker notebooks.
- Endpoints Encrypted With KMS Customer Managed Keys
Ensure that SageMaker endpoints are using Amazon KMS Customer Managed Keys (CMKs) for data encryption.
- Notebook Data Encrypted With KMS Customer Managed Keys
Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Managed Keys (CMKs).
- Notebook in VPC Only Mode Can Access Required Resources
Ensure that SageMaker notebook instances deployed into a VPC can access required resources.
- Output and Storage Volume Data Encrypted With KMS Customer Managed Keys
Ensure that training job volume and output data is encrypted with Amazon KMS Customer Managed Keys (CMKs).