Description:
This policy ensures that all Amazon SageMaker Models have VPC settings configured. This helps to protect the models from unauthorized access and to control the network traffic that they can send and receive.
Rationale:
By default, Amazon SageMaker Models are not configured with VPC settings. This means that they are accessible from the public internet, which could allow unauthorized access. Configuring VPC settings for models helps to protect them from this risk.
Impact:
If this policy is not followed, models could be accessible from the public internet. This could allow unauthorized users to access the models and the data that they contain.
Default Value:
AWS recommends that all Amazon SageMaker Models have VPC settings configured.
Pre-Requisite:
To follow this policy, you will need to have access to the Amazon SageMaker console. You will also need to know the VPC that you want to use for the models.
Remediation Steps:
- In the Amazon SageMaker console, go to the Models page.
- Click on the name of the model that you want to configure.
- In the Network section, select the VPC settings tab.
- In the VPC field, select the VPC that you want to use for the model.
- In the Subnets field, select the subnets that you want to use for the model.
- Click on the Save button.
Test Plan:
- To verify that the model has VPC settings configured, go to the Network section of the model's configuration page.
- The VPC field should show the VPC that you configured for the model.
- The Subnets field should show the subnets that you configured for the model.
Using AWS GUI:
- Go to the Amazon SageMaker console.
- Click on the Models page.
- Click on the name of the model that you want to configure.
- In the Network section, select the VPC settings tab.
- In the VPC field, select the VPC that you want to use for the model.
- In the Subnets field, select the subnets that you want to use for the model.
- Click on the Save button.
Using AWS CLI:
- Import the AWS CLI library.
- Get the SageMaker client.
- Get the name of the model.
- Get the VPC ID.
- Get the subnet IDs.
- Configure the model to use a VPC.
# Import the AWS CLI library import boto3 # Get the SageMaker client sagemaker = boto3.client('sagemaker') # Get the name of the model model_name = 'my-model' # Get the VPC ID vpc_id = 'vpc-1234567890abcdef' # Get the subnet IDs subnet_ids = ['subnet-1234567890abcdef', 'subnet-fedcba9876543210'] # Configure the model to use a VPC response = sagemaker.update_model( ModelName=model_name, VpcConfig=dict( VpcId=vpc_id, Subnets=subnet_ids ) ) # Print the response print(response)
Implementation Plan:
The implementation plan for this policy is to follow the remediation steps outlined above. This can be done manually or by using the AWS CLI.
Backout Plan:
The backout plan for this policy is to revoke the changes that were made to the model's configuration. This can be done by following the steps outlined in the Test Plan
section.
Note:
- For more information about Amazon SageMaker VPC settings, see the Amazon SageMaker documentation: https://docs.aws.amazon.com/sagemaker/latest/dg/host-vpc.html
Reference:
https://docs.aws.amazon.com/sagemaker/latest/dg/host-vpc.html