AWS SageMaker Best Practices

Best practice rules for Amazon SageMaker

• Amazon SageMaker Notebook Instance In VPC

  Ensure that Amazon SageMaker notebook instances are deployed into a VPC.

• Check for Missing Execution Role

  Ensure that SageMaker notebook instances are referencing active execution roles.

• Disable Direct Internet Access for Notebook Instances

  Ensure that direct internet access is disabled for SageMaker Studio notebook instances.

• Disable Root Access for SageMaker Notebook Instances

  Ensure that root access is disabled for Amazon SageMaker notebook instances.

• Enable Data Capture for SageMaker Endpoints

  Ensure that SageMaker endpoints are configured to capture log data useful for training, debugging, and monitoring.

• Enable Inter-Container Traffic Encryption

  Ensure that inter-container traffic encryption is enabled for your SageMaker training jobs.

• Enable Network Isolation for SageMaker Models

  Ensure that network isolation is enabled for your SageMaker models to prevent unauthorized access.

• Enable Network Isolation for SageMaker Training Jobs

  Ensure that network isolation is enabled for your SageMaker training jobs to prevent unauthorized access.

• Enable SageMaker Notebook Instance Data Encryption (Deprecated)

  Ensure that data available on Amazon SageMaker notebook instances is encrypted.

• Enable VPC Only for SageMaker Domains

  Enable and configure "VPC Only" mode for added security control of your SageMaker notebooks.

• Endpoints Encrypted With KMS Customer Managed Keys

  Ensure that SageMaker endpoints are using Amazon KMS Customer Managed Keys (CMKs) for data encryption.

• Notebook Data Encrypted With KMS Customer Managed Keys

  Ensure SageMaker notebook instance storage volumes are encrypted with Amazon KMS Customer Managed Keys (CMKs).

• Notebook in VPC Only Mode Can Access Required Resources

  Ensure that SageMaker notebook instances deployed into a VPC can access required resources.

• Output and Storage Volume Data Encrypted With KMS Customer Managed Keys

  Ensure that training job volume and output data is encrypted with Amazon KMS Customer Managed Keys (CMKs).