Description:
This policy ensures that all Amazon SageMaker Notebook instances are configured with VPC settings. This helps to protect notebook instances from unauthorized access and to ensure that they can only communicate with resources that are within the VPC.

Rationale: 

Notebook instances are often used to store sensitive data and to run code that interacts with other AWS services. By configuring notebook instances with VPC settings, we can help to protect this data and to ensure that notebook instances are only able to communicate with authorized resources.

Impact: 

If notebook instances are not configured with VPC settings, they will be able to communicate with any resource on the internet. This could expose sensitive data and could allow unauthorized users to access the notebook instances.

Default Value: 

AWS will initially recommend that notebook instances are not configured with VPC settings. However, this is not a secure configuration.


Pre-Requisite: 

To follow this policy, you will need to have access to the AWS Management Console and to the IAM console. You will also need to know the VPC ID and subnet IDs that you want to use for your notebook instances.


Remediation Steps

  • Go to the AWS Management Console and open the Amazon SageMaker console.
  • Click on the "Notebook instances" tab.
  • Select the notebook instance that you want to configure.
  • Click on the "Network" tab.
  • In the "VPC settings" section, select the "Enable VPC" checkbox.
  • Enter the VPC ID and subnet IDs that you want to use for your notebook instance.
  • Click on the "Save" button.


Test Plan

  • To test that the VPC settings have been configured correctly, you can try to access the notebook instance from within the VPC.
  • You can also try to access the notebook instance from outside the VPC. If you are unable to access the notebook instance from outside the VPC, then the VPC settings have been configured correctly.


Using AWS GUI:

  • Go to the AWS Management Console and open the Amazon SageMaker console.
  • Click on the "Notebook instances" tab.
  • Select the notebook instance that you want to configure.
  • Click on the "Network" tab.
  • In the "VPC settings" section, select the "Enable VPC" checkbox.
  • Enter the VPC ID and subnet IDs that you want to use for your notebook instance.
  • Click on the "Save" button.


Backout Plan

  • To back out of this policy, you can disable the VPC settings for the notebook instance.
  • To do this, go to the AWS Management Console and open the Amazon SageMaker console.
  • Click on the "Notebook instances" tab.
  • Select the notebook instance that you want to configure.
  • Click on the "Network" tab.
  • In the "VPC settings" section, unselect the "Enable VPC" checkbox.
  • Click on the "Save" button.


Note:


Reference:

  • Amazon SageMaker documentation on VPC settings: https://docs.aws.amazon.com/sagemaker/latest/dg/host-vpc.html