Configure your SageMaker domains using the VPC Only network access type to enable fine-grained control on the network access to Amazon SageMaker Studio.
This rule can help you work with the AWS Well-Architected Framework.
Amazon SageMaker provides two approaches to controlling network access to your notebooks, the default ‘Direct Internet Access’ approach, and ‘VPC Only’ mode. When using the default direct internet access method SageMaker manages your security and network traffic for you, which provides a simple approach, but reduces your control. When using ‘VPC Only’ mode, the default direct internet access is disabled and you manage your VPCs, subnets and NAT gateways yourself. In both cases SageMaker provides built-in security controls to prevent external access, for example it does not allow assigning of an elastic IP directly to a notebook instance manually hosted in a public subnet. However, to enhance your control within your AWS account, and to enable fine-grained network control of your Amazon SageMaker instances, it recommended to enable the VPC Only network access type for the associated SageMaker domain, and configure your VPC resources accordingly. When the VPC Only mode is enabled, all SageMaker Studio traffic is routed through the specified VPC and their VPC subnets, and Internet access is disabled by default. To enable secure Internet access, make sure that your VPC has a NAT gateway configured and the associated security group allows outbound connections. If you decide to follow the approach to use the default direct internet access, you can disable this rule.
Audit
To determine if the VPC Only mode is enabled for your Amazon SageMaker domains, perform the following actions:
Note: Checking Amazon SageMaker domain's configuration for network access using AWS Management Console is not currently supported.Remediation / Resolution
To prevent Amazon SageMaker from providing Internet access to your SageMaker Studio notebooks, you must disable Internet access by configuring your SageMaker domain to use the VPC Only network access type. The VPC Only access type turns off default (public) Internet access and allows traffic through the specified VPC and subnets only. To configure VPC Only for your Amazon SageMaker domains, you must re-deploy your domains with the appropriate network access configuration by performing the following actions:
References
- AWS Documentation
- Amazon SageMaker FAQs
- Infrastructure Security in Amazon SageMaker
- Connect SageMaker Studio Classic Notebooks in a VPC to External Resources
- CreateDomain
- AWS Command Line Interface (CLI) Documentation
- sagemaker
- list-domains
- describe-domain
- delete-user-profile
- delete-domain
- create-domain
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable VPC Only for SageMaker Domains
Risk Level: Medium