Ensure that SageMaker is placed in VPC

A SageMaker notebook instance is a Machine Learning (ML) compute instance running on Jupyter Notebook software. You can connect to your notebook instance from your VPC through an interface endpoint in your Virtual Private Cloud (VPC), instead of connecting over the internet. Ensure that your AWS SageMaker notebook instances placed in the VPC, to only access VPC resources for. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.

Risk Level: Medium
Cloud Entity: Amazon SageMaker
CloudGuard Rule ID: D9.AWS.NET.48
Covered by Spectral: Yes
Category: Machine learning

GSL LOGIC

SageMakerNotebook should have vpc

REMEDIATION

From Portal:
There is no possibility to move existing SageMaker notebook under VPC if they were not created inside VPC. To ensure that your AWS SageMaker notebook instances are running inside a VPC, you need to re-create the instance. Use following steps to create new notebook instance and deploy it under a VPC.

  1. Open the Amazon SageMaker console at https://console.aws.amazon.com/sagemaker/.
  2. Choose Notebook instances, and then choose Create notebook instance.
  3. On the Create notebook instance page, provide the following information (if a field is not mentioned, leave the default values).
    a. For Notebook instance name, type a name for your notebook instance.
    b. For Notebook Instance type, choose ml.t2.medium. This is the least expensive instance type that notebook instances support, and it suffices for this exercise. If a ml.t2.medium instance type isn't available in your current AWS Region, choose ml.t3.medium.
    c. For Platform Identifier, choose a platform type to create the notebook instance on. This platform type dictates the Operating System and the JupyterLab version that your notebook instance is created with. For information about platform identifier type, see Amazon Linux 2 vs Amazon Linux notebook instances. For information about JupyterLab versions, see JupyterLab versioning.
    d. For IAM role, choose Create a new role, and then choose Create role. This IAM role automatically gets permissions to access any S3 bucket that has sagemaker in the name. It gets these permissions through the AmazonSageMakerFullAccess policy, which SageMaker attaches to the role.
    e. For VPC configuration under Network tab, Select the ID of the Virtual Private Cloud (VPC) where you want to deploy your new notebook instance from the VPC - optional dropdown list.
    f. Choose Create notebook instance.

From TF:
Use subnet_id field to place Sagemaker instance under VPC.

resource "aws_sagemaker_notebook_instance" "example_name" {
	name          = example_name
	role_arn      = sagemaker_role_arn
	instance_type = instance_type
	security_groups = aws_security_group_sg_id
	subnet_id = VPC_subnet_id
	
	tags = {
		Name = "SageMaker"
	}
}

From Command Line:
Use following command to create SageMaker notebook instance using a VPC network. You need to enter the ID of the VPC subnet that you want to use for your instance and the ID of the security group required for access control.

Note: If you specified SubnetId, SageMaker creates a network interface in your own VPC, which is inferred from the subnet ID that you provide in the input. When creating this network interface, SageMaker attaches the security group that you specified in the request to the network interface that it creates in your VPC. The security groups must be for the same VPC as specified in the subnet.

aws sagemaker create-notebook-instance --region region_name --notebook-instance-name example_instance_name --instance-type type_of_instance --role-arn AmazonSageMaker_ExecutionRole_arn --kms-key-id kms_key_arn --subnet-id subnet_id --security-group-ids sg_ID

References:

  1. https://docs.aws.amazon.com/sagemaker/latest/dg/gs-setup-working-env.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sagemaker/create-notebook-instance.html

Amazon SageMaker

Amazon SageMaker provides every developer and data scientist with the ability to build, train, and deploy machine learning models quickly. Amazon SageMaker is a fully-managed service that covers the entire machine learning workflow to label and prepare your data, choose an algorithm, train the model, tune and optimize it for deployment, make predictions, and take action.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset