Description: 

This policy ensures that all Amazon SageMaker Notebook instances are configured to use a VPC. This helps to protect the notebook instances from unauthorized access and to control the network traffic that they can send and receive. 


Rationale: 

By default, Amazon Sage Maker Notebook instances are not configured to use a VPC. This means that they are accessible from the public internet, which could allow unauthorized access. Configuring notebook instances to use a VPC helps to protect them from this risk. 


Impact: 

If this policy is not followed, notebook instances could be accessible from the public internet. This could allow unauthorized users to access the notebook instances and the data that they contain. 


Default Value: 

AWS recommends that all Amazon Sage Maker Notebook instances be configured to use a VPC. 


Pre-requisites: 

To follow this policy, you will need to have access to the Amazon SageMaker console. You will also need to know the VPC that you want to use for the notebook instances. 


Remediation Steps: 


Test Plan: 

To test that root access has been disabled on a notebook instance, 

  • you can try to log in to the instance using the root user. 
  • If you are unable to log in, then root access has been disabled successfully.


AWS Console Process:

To follow this policy using the AWS console, you can perform the following steps:

  • Log in to the AWS Management Console. 
  • Go to the Amazon Sage Maker console. 
  • In the left navigation pane, choose Notebook instances. 
  • Select the notebook instance that you want to disable root access for. 
  • In the Actions menu, choose Edit notebook instance. 
  • In the Root access section, select Disabled. 
  • Choose Save.


AWS CLI Process:

Import the AWS CLI library.

Get the SageMaker client.

Get the name of the notebook instance.

Get the VPC ID.

Get the subnet IDs.

Configure the notebook instance to use a VPC.

# Import the AWS CLI library

import boto3


# Get the SageMaker client

sagemaker = boto3.client('sagemaker')


# Get the name of the notebook instance

notebook_instance_name = 'my-notebook-instance'


# Get the VPC ID

vpc_id = 'vpc-1234567890abcdef'


# Get the subnet IDs

subnet_ids = ['subnet-1234567890abcdef', 'subnet-fedcba9876543210']


# Configure the notebook instance to use a VPC

response = sagemaker.update_notebook_instance(

    NotebookInstanceName=notebook_instance_name,

    VpcConfig=dict(

        VpcId=vpc_id,

        Subnets=subnet_ids

    )

)


# Print the response

print(response)

Implementation Plan:


The implementation plan for this policy is to follow the remediation steps outlined above. This can be done manually or by using the AWS CLI.


Backout Plan: 

The backout plan for this policy is to revoke the changes that were made to the notebook instance's configuration. This can be done by following the steps outlined in the Test Plan section.


Note: 

This policy does not apply to notebook instances that are created using the Amazon SageMaker Studio environment.

For more information about Amazon SageMaker VPC settings, see the Amazon SageMaker documentation.


Reference:

https://docs.aws.amazon.com/sagemaker/latest/dg/host-vpc.html.