Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable VPC Only for SageMaker Domains

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Configure your SageMaker domains using the VPC Only network access type to enable fine-grained control on the network access to Amazon SageMaker Studio.

This rule can help you work with the AWS Well-Architected Framework.

Security

Amazon SageMaker provides two approaches to controlling network access to your notebooks, the default ‘Direct Internet Access’ approach, and ‘VPC Only’ mode. When using the default direct internet access method SageMaker manages your security and network traffic for you, which provides a simple approach, but reduces your control. When using ‘VPC Only’ mode, the default direct internet access is disabled and you manage your VPCs, subnets and NAT gateways yourself. In both cases SageMaker provides built-in security controls to prevent external access, for example it does not allow assigning of an elastic IP directly to a notebook instance manually hosted in a public subnet. However, to enhance your control within your AWS account, and to enable fine-grained network control of your Amazon SageMaker instances, it recommended to enable the VPC Only network access type for the associated SageMaker domain, and configure your VPC resources accordingly. When the VPC Only mode is enabled, all SageMaker Studio traffic is routed through the specified VPC and their VPC subnets, and Internet access is disabled by default. To enable secure Internet access, make sure that your VPC has a NAT gateway configured and the associated security group allows outbound connections. If you decide to follow the approach to use the default direct internet access, you can disable this rule.

Audit

To determine if the VPC Only mode is enabled for your Amazon SageMaker domains, perform the following actions:

Note: Checking Amazon SageMaker domain's configuration for network access using AWS Management Console is not currently supported.

Using AWS CLI

01 Runlist-domains command (OSX/Linux/UNIX) to list the ID of the Amazon SageMaker domain created for the selected AWS region. A SageMaker domain consists of an associated Amazon EFS volume, a list of authorized users, and a variety of security, application, policy, and VPC network configurations. An AWS cloud account is limited to one domain per region: 

aws sagemaker list-domains
  --region us-east-1
  --query 'Domains[*].DomainId'

02 The command output should return the requested SageMaker domain identifier (ID): 

[
	"d-abcd1234abcd"
]

03 Rundescribe-domain command (OSX/Linux/UNIX) using the name of the Amazon SageMaker domain that you want to examine as the identifier parameter and custom query filters to describe the type of the network access configured for the selected domain: 

aws sagemaker describe-domain
  --region us-east-1
  --domain-id "d-abcd1234abcd"
  --query 'AppNetworkAccessType'

04 The command output should return the network access type used by the selected domain: 

"PublicInternetOnly"

If the describe-domain command output returns "PublicInternetOnly", as shown in the output example above, the selected SageMaker domain is configured to allow public (default) internet access, therefore the Amazon SageMaker service provides public internet access to your Studio notebooks.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Audit process for other regions.

Remediation / Resolution

To prevent Amazon SageMaker from providing Internet access to your SageMaker Studio notebooks, you must disable Internet access by configuring your SageMaker domain to use the VPC Only network access type. The VPC Only access type turns off default (public) Internet access and allows traffic through the specified VPC and subnets only. To configure VPC Only for your Amazon SageMaker domains, you must re-deploy your domains with the appropriate network access configuration by performing the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, choose Control Panel.

04 To delete your domain so that you can re-create it with the appropriate network configuration, you have to remove any user profiles created for that domain as well. Click on the name (link) of the SageMaker user that you want to delete, listed in the Users section.

05 Under Details, choose Edit to access the user profile configuration.

06 On the General settings page, choose Delete user to remove the selected user profile from your domain.

07 On the Delete user confirmation page, choose Yes, delete user, type delete in the appropriate field, and select Delete to confirm deletion.

08 Navigate back to the Control Panel page and repeat steps no. 4 – 7 to delete all the user profiles created for the selected domain.

09 In the Domain configuration box, choose the Settings button to access the domain's settings.

10 On the General settings page, choose Delete domain to remove the SageMaker domain from your AWS account.

11 On the Delete domain confirmation page, choose Yes, delete my Domain, type delete in the required field, and select Delete to confirm deletion.

12 To re-deploy your Amazon SageMaker domain with the VPC Only network access type, choose Getting started.

13 On the Getting started page, choose the Standard setup tab, and select Set up SageMaker Domain to initiate the setup process.

14 Choose Standard setup (10 min) and select Configure.

15 On the Setup SageMaker Domain page, perform the following operations:

  1. For Step 1 General settings, select the appropriate authentication method, choose the default execution role (use the existing role), and configure the network setting for the new domain. Once you have selected the appropriate VPC network, VPC subnets, and security groups, choose VPC Only - The SageMaker domain will use your VPC. Direct internet access is disabled. This will enable the VPC Only network access type. With VPC Only, the traffic is routed through the specified VPC and subnets and the Internet access is disabled by default. To allow internet access, make sure that your VPC network has a NAT gateway installed and your security group allows outbound connections. For more details about the VPC Only feature requirements, consult the Amazon SageMaker official documentation. (Optional) Select the name (alias) of the KMS key that you want to use for storage volumes encryption from the Encryption key – optional dropdown list. Choose Next to continue the setup process.
  2. For Step 2 Studio settings, configure the Studio IDE and the notebook sharing setting for your organization. Choose Next to continue.
  3. For Step 3 Canvas settings, configure SageMaker Canvas for your organization. Enabling Canvas permissions enables users to upload local files in SageMaker Canvas. Choose Next to continue.
  4. For Step 4 RStudio settings, configure the RStudio Workbench settings. Choose Submit to deploy your new Amazon SageMaker domain.

16 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 To delete your SageMaker domain in order to re-create it with the appropriate network configuration, you have to remove all user profiles created for that domain. Run delete-user-profile command (OSX/Linux/UNIX) to remove the specified user profile from the selected domain (the command does not produce an output). Repeat this step to delete all the user profiles created for the selected SageMaker domain: 

aws sagemaker delete-user-profile
  --domain-id d-abcd1234abcd
  --user-profile-name cc-sagemaker-user

02 Run delete-domain command (OSX/Linux/UNIX) to remove the Amazon SageMaker domain from your AWS account (the command does not produce an output): 

aws sagemaker delete-domain
  --domain-id d-abcd1234abcd

03 To re-deploy your Amazon SageMaker domain with the VPC Only network access type, run create-domain command (OSX/Linux/UNIX). To enable the VPC Only mode for the new domain, use VpcOnly for the --app-network-access-type parameter value, as shown in the example below. With VPC Only, the traffic is routed through the VPC and the VPC subnets specified for the --default-user-settings parameter, and the Internet access is disabled by default. To allow internet access, make sure that your VPC has a NAT gateway installed and the associated security group allows outbound connections. For more details about the VPC Only feature requirements, consult the Amazon SageMaker documentation: 

aws sagemaker create-domain
	--domain-name cc-sagemaker-private-domain
	--auth-mode IAM
	--subnet-ids subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
	--vpc-id vpc-0abcdabcdabcdabcd
	--app-network-access-type VpcOnly
	--default-user-settings '{
		"ExecutionRole": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-123456789012345",
		"SecurityGroups": [
			"sg-01234123412341234"
		],
		"JupyterServerAppSettings": {
			"DefaultResourceSpec": {
				"SageMakerImageArn": "arn:aws:sagemaker:us-east-1:081325390199:image/jupyter-server",
				"InstanceType": "system"
			}
		}
	}'

04 The command output should return the ARN and the full URL of the new SageMaker domain: 

{
	"DomainArn": "arn:aws:sagemaker:us-east-1:123456789012:domain/d-abcd1234abcd",
	"Url": "https://d-abcd1234abcd.studio.us-east-1.sagemaker.aws"
}

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jan 15, 2024

Related SageMaker rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable VPC Only for SageMaker Domains

Risk Level: Medium