Logo of Trend Micro

Amazon SageMaker Notebook Instance In VPC

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SageMaker-001

Ensure that your AWS SageMaker notebook instances are running inside a Virtual Private Cloud in order to able to access VPC-only resources such as Amazon EFS file systems, resources which cannot be accessed outside a VPC network. A SageMaker notebook instance is a Machine Learning (ML) compute instance running on Jupyter Notebook software.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Deploying and running your Amazon SageMaker notebook instances inside a VPC enables the instances to access all AWS resources available within that VPC using private IP addresses.

Audit

To determine if your Amazon SageMaker notebook instances are running within a VPC network, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.

03 In the navigation panel, under Notebook, choose Notebook instances.

04 Select the SageMaker notebook instance that you want to examine and click on the resource name (link) to access its configuration details.

05 On the selected instance configuration page, within Network section, check for any Virtual Private Cloud (VPC) network configuration details such as VPC subnet IDs and security group IDs. If none of these configuration details are available within the Network section, instead the following status is displayed: "No custom VPC settings applied.", the selected Amazon SageMaker notebook instance is not running inside a VPC network.

06 Repeat step no. 4 and 5 for each Amazon SageMaker notebook instance provisioned in the current AWS region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-notebook-instances command (OSX/Linux/UNIX) to list the names of all SageMaker notebook instances available within the selected AWS region, in this case the US East (N. Virginia) region: 

aws sagemaker list-notebook-instances
	--region us-east-1
	--query 'NotebookInstances[*].NotebookInstanceName'

02 The command output should return the requested notebook instance names: 

[
    "cc-ml-application-instance",
    "cc-sagemaker-notebook-instance"
]

03 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to examine as identifier and custom query filters to return the ID of the VPC subnet where the selected instance was deployed: 

aws sagemaker describe-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-ml-application-instance
	--query 'SubnetId'

04 The command output should return the requested subnet ID or null if the instance was not deployed within a VPC subnet: 

null

If the describe-notebook-instance command output returns null, as shown in the example above, the selected Amazon SageMaker notebook instance is not running inside a Virtual Private Cloud (VPC) network.

05 Repeat step no. 3 and 4 for each AWS SageMaker notebook instance available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

Remediation / Resolution

To ensure that your AWS SageMaker notebook instances are running inside a VPC, you need to re-create these instances with the necessary network configuration. To deploy your AWS SageMaker notebook instance within a Virtual Private Cloud (VPC), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.

03 In the navigation panel, under Notebook, choose Notebook instances.

04 Click Create notebook instance button from the dashboard top-right menu to start the launch process.

05 On Create notebook instance page, within Notebook instance settings section, perform the following:

  1. In the Notebook instance name box, provide a unique name for the new AWS SageMaker notebook instance.
  2. From Notebook instance type dropdown list, select the same instance type as the source notebook instance, which is not running inside a VPC.
  3. From Notebook instance type dropdown list, choose the same IAM role as the one created for the source notebook instance.
  4. From VPC – optional dropdown list, select the ID of the VPC where you want to deploy your new SageMaker notebook instance. This would enable the instance to access VPC-only resources such as Amazon EFS file systems.
  5. From Subnet dropdown list, choose the ID of a subnet available within the VPC network selected at the previous step.
  6. From Security group(s) dropdown list, select one or more security groups based on your notebook instance access policy requirements.
  7. For Direct internet access, select Enable – use SageMaker-provided internet access option so that Amazon SageMaker can provide internet access to the new notebook instance.
  8. From Lifecycle configuration – optional dropdown list, select the available lifecycle configuration (if applicable) to customize your notebook environment with default scripts and plugins.
  9. From Encryption key – optional dropdown list, select the alias (name) of the AWS KMS key that you want to use for encrypting the notebook instance storage volumes.

06 In the Tags – optional section, create any required tags, based on the source notebook instance tagging scheme.

07 Click Create notebook instance to launch the new SageMaker notebook instance within the selected Virtual Private Cloud.

08 Once the notebook instance is created, copy the data from the source instance to the new (destination) instance.

09 Now you can remove the source SageMaker notebook instance from your AWS account to avoid further charges. To delete the necessary SageMaker instance, perform the following:

  1. Select the notebook instance that you want to remove (see Audit section part I to identify the right SageMaker resource).
  2. Click on the Actions dropdown menu and select the Delete option.
  3. Within Delete <notebook-instance-name> dialog box, click the Delete button to confirm the action.

10 Repeat steps no. 4 – 9 to deploy other non-VPC SageMaker notebook instances, provisioned in the current region, to a Virtual Private Cloud (VPC).

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to re-create as identifier (see Audit section part II to identify the right resource) to return the selected instance configuration metadata, information required later when the new instance is created: 

aws sagemaker describe-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-ml-application-instance

02 The command output should return the selected instance configuration metadata: 

{
    "NotebookInstanceStatus": "InService",
    "Url": "cc-ml-application-instance.notebook.us-east-1.sagemaker.aws",
    "RoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionPolicy-20180921T204001",
    "NotebookInstanceName": "cc-ml-application-instance",
    "CreationTime": 1537512573.117,
    "NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-ml-application-instance",
    "LastModifiedTime": 1537514366.153,
    "InstanceType": "ml.t2.large"
}

03 Run create-notebook-instance command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the source (non-VPC) SageMaker notebook instance (see Audit section part II to identify the right resource) into an AWS VPC network: 

aws sagemaker create-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-ml-vpc-application-instance
	--instance-type ml.t2.large
	--role-arn arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180921T204001
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
	--subnet-id subnet-1234abcd
	--security-group-ids sg-aabbccdd012345678

04 If successful, the command output should return the ARN of the new Amazon SageMaker notebook instance: 

{
   "NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-ml-vpc-application-instance"
}

05 Copy the data from the source notebook instance to the destination instance.

06 After your data is copied to the new instance, it is safe to remove the source SageMaker notebook instance in order to avoid unexpected AWS charges. To delete the instance, run delete-notebook-instance command (OSX/Linux/UNIX) using the name of the source notebook instance as identifier (the command does not produce an output): 

aws sagemaker delete-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-ml-application-instance

07 Repeat steps no. 1 – 6 to deploy other non-VPC SageMaker notebook instances, available within the current region, to a Virtual Private Cloud (VPC).

08 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Oct 15, 2018

Related SageMaker rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Amazon SageMaker Notebook Instance In VPC

Risk level: Medium