Profile Applicability:

  • Level 1

Description:
Amazon SageMaker Notebook instances are fully managed environments for data scientists to develop, train, and deploy machine learning models. By associating a notebook instance with a VPC (Virtual Private Cloud), you can ensure secure network communication, private access to resources, and better control over network traffic. Configuring VPC settings for SageMaker notebook instances helps maintain data security by isolating the instance within a secure network and enabling private access to resources like S3 buckets, databases, and other AWS services.

Rationale:
Configuring VPC settings for SageMaker Notebook instances is crucial for securing the communication between the notebook instance and other services. This ensures that traffic to and from the instance is securely routed through your VPC, reducing exposure to the public internet. Enabling VPC settings helps maintain compliance with security standards and enhances the privacy and integrity of your data, especially when working with sensitive information.

Impact:
 Pros:

  • Provides secure, private network communication for SageMaker notebook instances.

  • Limits access to only resources within the VPC, improving security posture.

  • Enables the use of private subnets for better isolation and reduced attack surface.

  • Helps comply with security and regulatory requirements for network security.

Cons:

  • Requires proper VPC and subnet configuration, adding complexity to setup.

  • May increase costs if additional resources like NAT gateways or VPN connections are required.

  • Requires correct IAM permissions to manage VPC settings for the notebook instance.

Default Value:
By default, SageMaker notebook instances are not associated with a VPC unless explicitly configured. VPC settings must be manually enabled during the creation or modification of a notebook instance.

Pre-requisites:

  • AWS IAM permissions:

    sagemaker:CreateNotebookInstance
    sagemaker:DescribeNotebookInstance
    ec2:DescribeSecurityGroups
    ec2:DescribeSubnets

  • A properly configured VPC with appropriate subnets, route tables, and security groups.

  • Access to Amazon SageMaker and permissions to modify notebook instance configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon SageMaker and go to Notebook instances.

  3. Select a notebook instance from the list.

  4. In the Notebook Instance details, check if the VPC section is populated.

  5. Verify the VPC ID, Subnets, and Security Groups assigned to the notebook instance.

  6. If VPC settings are not configured, modify the instance by clicking Edit and selecting a VPC, subnet, and security group for the notebook instance.

Using AWS CLI:

  1. List the SageMaker notebook instances:
    aws sagemaker list-notebook-instances --query "NotebookInstances[*].NotebookInstanceName"
  2. For each notebook instance, describe the VPC settings:  
    aws sagemaker describe-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME>
  3. Check the response for the VpcId, SubnetId, and SecurityGroupIds.
  4. If no VPC settings are configured, update the notebook instance to use VPC settings:
    aws sagemaker create-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME> --instance-type <INSTANCE_TYPE> --role-arn <IAM_ROLE> --subnet-id <SUBNET_ID> --security-group-ids <SECURITY_GROUP_ID> --vpc-id <VPC_ID>

Implementation Plan:

Using AWS Console:

  1. Navigate to the SageMaker Console and select Notebook Instances.

  2. Click Create notebook instance or select an existing notebook instance.

  3. Under Network, enable the VPC settings by choosing a VPC, subnet, and security groups.

  4. If no VPC is available, create a VPC with appropriate configurations (subnets, route tables, etc.).

  5. Select the required IAM role and other settings, and then create or update the notebook instance.

  6. Verify that the notebook instance is associated with the VPC by checking the VPC ID, Subnet ID, and Security Groups in the Notebook instance details.

Using AWS CLI:

  1. Create or update the notebook instance with VPC settings using the create-notebook-instance command:
    aws sagemaker create-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME> --instance-type <INSTANCE_TYPE> --role-arn <IAM_ROLE> --subnet-id <SUBNET_ID> --security-group-ids <SECURITY_GROUP_ID> --vpc-id <VPC_ID>


  2. Verify the settings: 

    aws sagemaker describe-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME>

Backout Plan:

Using AWS Console:

  1. If enabling VPC settings causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon SageMaker, select the Notebook instance, and go to the Network section.

  3. Remove or modify the VPC settings as needed (e.g., switch to a different subnet or security group).

  4. Save the changes and monitor the notebook instance to ensure that the network configuration is working as expected.

Using AWS CLI:

  1. To remove or modify VPC settings for a notebook instance, run:

    aws sagemaker update-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME> --subnet-id <NEW_SUBNET_ID> --security-group-ids <NEW_SECURITY_GROUP_ID>

  2. Verify that the changes have been applied:

    aws sagemaker describe-notebook-instance --notebook-instance-name <NOTEBOOK_INSTANCE_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure that access to cloud services is restricted through proper network segmentation, including configuring VPC settings for services like SageMaker.

7.1

8.1

Ensure secure network communications by enabling VPC settings and private subnets for cloud services like SageMaker Notebook instances.