Description: 

This policy ensures that all Amazon SageMaker Training jobs have network isolation enabled. This helps to protect the data that is used during training from unauthorized access.


Rationale: 

By default, Amazon SageMaker Training jobs do not have network isolation enabled. This means that the data that is used during training is accessible to all other instances in the same VPC. This could allow unauthorized users to access the data. Enabling network isolation helps to protect the data from this risk.


Impact: 

If this policy is not followed, the data that is used during training could be accessed by unauthorized users. This could lead to the disclosure of sensitive information, such as training data or model parameters.


Default Value: 

AWS recommends that all Amazon SageMaker Training jobs have network isolation enabled.


Pre-Requisite: 

To follow this policy, you will need to have access to the Amazon SageMaker console and a VPC that you want to use for network isolation.

Remediation Steps:

  • In the Amazon SageMaker console, go to the Training jobs page.
  • Click on the name of the training job that you want to configure.
  • In the Advanced section, select the Enable network isolation checkbox.
  • In the VPC ID field, enter the ID of the VPC that you want to use for network isolation.
  • Click on the Save button.


Test Plan:

  • To verify that the training job has network isolation enabled, go to the Advanced section of the training job's configuration page.
  • The Enable network isolation checkbox should be selected.
  • The VPC ID field should show the ID of the VPC that you used for network isolation.


Using AWS GUI:

  • Go to the Amazon SageMaker console.
  • Click on the Training jobs page.
  • Click on the name of the training job that you want to configure.
  • In the Advanced section, select the Enable network isolation checkbox.
  • In the VPC ID field, enter the ID of the VPC that you want to use for network isolation.
  • Click on the Save button.


Using AWS CLI:

  • Import the AWS CLI library.
  • Get the SageMaker client.
  • Get the name of the training job.
  • Enable network isolation for the training job.
# Import the AWS CLI library import boto3 
# Get the SageMaker client sagemaker = boto3.client('sagemaker') 
# Get the name of the training job training_job_name = 'my-training-job' 
# Enable network isolation for the training job response = sagemaker.update_training_job(    TrainingJobName=training_job_name,    EnableNetworkIsolation=True,    VpcConfig=dict(        VpcId='vpc-1234567890abcdef'    ) )
 # Print the response print(response)

Implementation Plan:
The implementation plan for this policy is to follow the remediation steps outlined above. This can be done manually or by using the AWS CLI.

Backout Plan:
The backout plan for this policy is to revoke the changes that were made to the training job's configuration. This can be done by following the steps outlined in the Test Plan section.

Note:
For more information about Amazon SageMaker network isolation, see the Amazon SageMaker documentation: https://docs.aws.amazon.com/sagemaker/latest/dg/train-vpc.html

Reference:
https://docs.aws.amazon.com/sagemaker/latest/dg/train-vpc.html