iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon SageMaker provides fully managed Jupyter notebook environments for data scientists and developers to build, train, and deploy machine learning models. Root access to these SageMaker Notebook Instances can pose a security risk, as it grants full control over the instance. Disabling root access ensures that users can only access their designated environments without the ability to modify system-level configurations. This SOP ensures that SageMaker Notebook Instances have root access disabled for security and compliance.

Rationale:

• Security: Disabling root access ensures that users cannot inadvertently or maliciously make system-level changes, thus reducing the risk of unauthorized access or configuration changes that could affect the integrity of the environment.

• Compliance: Many compliance frameworks, such as SOC 2 and HIPAA, require enforcing strict access controls, including limiting root access to critical systems.

• Best Practices: Limiting access to only necessary resources and environments reduces the attack surface and follows the principle of least privilege.

Impact:

Pros:

• Improved Security: Restricting root access ensures that only authorized users can modify critical configurations or gain control of the environment.

• Reduced Risk of Misconfiguration: Prevents accidental or unauthorized changes to system-level settings that could affect the environment.

• Compliance: Helps meet security and compliance requirements for limiting access to sensitive systems and environments.

Cons:

• Limited User Control: Users will not be able to perform certain administrative actions that require root privileges, potentially limiting their ability to configure the instance as they see fit.

• Additional Configuration: Disabling root access may require additional configurations or user permissions management.

Default Value:

By default, Amazon SageMaker Notebook Instances may allow root access depending on how the instance is created. Administrators need to disable root access explicitly during instance setup.

Pre-requisite:

• AWS IAM Permissions:

  • sagemaker:DescribeNotebookInstance

  • ec2:DescribeInstances

• AWS CLI installed and configured.

• SageMaker Notebook Instance is created and operational.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon SageMaker under Services.

3. In the SageMaker Dashboard, select Notebook instances.

4. Choose the Notebook Instance you want to review.

5. Under Notebook Instance settings, verify if root access is disabled. The IAM role used should not have permissions that grant root access.

   • Check the VPC settings, security groups, and IAM roles attached to ensure that only the necessary permissions are granted.

6. If root access is not disabled, proceed with disabling it as described in the Implementation Steps below.

Using AWS CLI:

1. To describe the SageMaker Notebook Instance and check for root access, run:
   

   aws sagemaker describe-notebook-instance --notebook-instance-name <notebook-instance-name> --query 'NotebookInstanceArn'

2. Review the output and check the IAM role and associated permissions to ensure root access is restricted. The IAM role should not allow administrative access or privileges for root.

Implementation Steps:

Using AWS Console:

1. Sign in to the AWS Management Console and navigate to Amazon SageMaker.

2. In the SageMaker Dashboard, go to Notebook instances and choose the Notebook Instance you want to modify.

3. Under Notebook Instance settings, ensure the IAM role used for the instance has limited permissions and does not grant root access. The role should only have access to necessary services (e.g., S3, SageMaker resources).

4. In the Security settings, ensure that root access is disabled, and only required users and roles have the permissions to manage the instance.

5. Save the changes and restart the Notebook Instance to apply these settings.

Using AWS CLI:

1. To create a SageMaker Notebook Instance with root access disabled, ensure the IAM role associated with the notebook instance is configured with restricted permissions:
   

   aws sagemaker create-notebook-instance \
     --notebook-instance-name <notebook-instance-name> \
     --instance-type <instance-type> \
     --role-arn <role-arn> \
     --subnet-id <subnet-id> \
     --security-group-ids <sg-id> \
     --no-root-access

2. To update an existing Notebook Instance to disable root access, modify the instance configuration:
   

   aws sagemaker update-notebook-instance \
     --notebook-instance-name <notebook-instance-name> \
     --role-arn <new-role-arn> \
     --security-group-ids <new-sg-id>

3. Verify the configuration by running:
   

   aws sagemaker describe-notebook-instance --notebook-instance-name <notebook-instance-name> --query 'NotebookInstanceSecurityGroupIds'

4. Ensure that the IAM role and Security Group attached to the instance do not grant root access.

Backout Plan:

Using AWS Console:

1. If disabling root access causes issues, sign in to the AWS Management Console.

2. Navigate to Amazon SageMaker, select the notebook instance, and go to Edit.

3. Re-enable root access or associate the instance with a different IAM role with broader permissions if required.

4. Save the changes and verify that root access is now enabled.

Using AWS CLI:

1. To enable root access again, you can modify the instance profile to use a more permissive IAM role:
   

   aws sagemaker update-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME> --role-arn <ROLE_ARN> --region <REGION>

2. Verify that root access has been re-enabled:
   

   aws sagemaker describe-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME> --region <REGION

References:

• Amazon SageMaker Documentation: Notebook Instances

• AWS CLI: describe-notebook-instance

• AWS CLI: create-notebook-instance

• AWS CLI: update-notebook-instance

CIS Controls Mapping: