Profile Applicability:

  • Level 2

Description:
Amazon SageMaker is a fully managed service for building, training, and deploying machine learning models at scale. Configuring VPC (Virtual Private Cloud) settings for SageMaker models ensures that the communication between the models and other AWS resources, such as databases, S3 buckets, and other services, occurs over a private network, thereby enhancing security. Configuring VPC settings helps prevent exposure to the public internet and ensures that data in transit is securely isolated.

Rationale:
Ensuring that SageMaker models are deployed within a VPC enhances security by restricting network access to only authorized resources within the VPC. This reduces the risk of data exposure and ensures secure communication between the model and other private resources in your cloud environment. Configuring VPC settings is a security best practice, especially when working with sensitive data or integrating models with other private services.

Impact:
 Pros:

  • Provides a secure and isolated environment for SageMaker models.

  • Restricts access to the model to only authorized resources within the VPC.

  • Helps comply with security and regulatory requirements for secure network communications.

Cons:

  • Requires careful configuration of VPC, subnets, route tables, and security groups.

  • Adds complexity to the setup and management of SageMaker models.

  • May result in increased costs if additional resources like NAT gateways or VPNs are required.

Default Value:
 By default, SageMaker models do not have VPC settings configured. VPC settings need to be explicitly specified during model deployment to ensure private communication within the VPC.

Pre-requisites:

AWS IAM permissions:    

  •  sagemaker:CreateModel
  •  sagemaker:DescribeModel
  •  ec2:DescribeSecurityGroups
  •  ec2:DescribeSubnets

A properly configured VPC with appropriate subnets, route tables, and security groups.

Access to Amazon SageMaker and permissions to modify model configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon SageMaker and select Models from the left-hand menu.

  3. Select the model for which you want to check VPC settings.

  4. In the Model details, check the VPC section.

  5. Verify that VPC ID, Subnets, and Security Groups are correctly configured.

  6. If VPC settings are not configured, click Edit and select a VPC, subnet, and security group for the model.

Using AWS CLI: 

  1. List all SageMaker models:
    aws sagemaker list-models --query "Models[*].ModelName"
  2. For each model, describe the VPC settings:
    aws sagemaker describe-model --model-name <MODEL_NAME>
  3. Check the response for VpcId, SubnetId, and SecurityGroupIds to see if VPC settings are configured.
  4. If no VPC settings are configured, update the model deployment to use VPC settings:
     aws sagemaker create-model --model-name <MODEL_NAME> --primary-container Image=<IMAGE_URL> --vpc-config "Subnets=<SUBNET_ID>,SecurityGroupIds=<SECURITY_GROUP_ID>"


Implementation Plan:

Using AWS Console:

  1. Open the SageMaker Console and select Models from the left menu.

  2. Click Create Model or select an existing model to update.

  3. Under the Network settings, select VPC and choose the appropriate VPC, subnet, and security group.

  4. If no VPC is available, create a VPC with appropriate configurations (subnets, route tables, etc.).

  5. Select the appropriate IAM role and other settings.

  6. Complete the setup to create or update the model with VPC settings.

  7. Verify that the model is associated with the VPC by checking the VPC ID, Subnet ID, and Security Groups.

Using AWS CLI:

  1. When creating or updating the model, ensure the vpc-config parameter is included with the appropriate subnets and security groups:
    aws sagemaker create-model --model-name <MODEL_NAME> --primary-container Image=<IMAGE_URL> --vpc-config "Subnets=<SUBNET_ID>,SecurityGroupIds=<SECURITY_GROUP_ID>"
  2. Verify the VPC settings:
    aws sagemaker describe-model --model-name <MODEL_NAME>

Backout Plan: 

Using AWS Console:

  1. If configuring the VPC settings causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon SageMaker and select the Model to modify.

  3. Click Edit and change the VPCsubnet, or security group settings to the previous configuration, or remove them to revert to the default settings.

  4. Save the changes and verify that the model continues to function as expected.

Using AWS CLI:

  1. Identify the affected model and check the VPC, subnet, and security group configurations.

  2. Disable the VPC settings by updating the model configuration:

    aws sagemaker update-model --model-name <MODEL_NAME> --vpc-config "Subnets=[],SecurityGroupIds=[]"
  3. If necessary, revert the model to public settings or remove VPC configurations.
  4. Verify that the model is functioning as expected, and troubleshoot any issues related to VPC connectivity.
  5. Document the changes and backout process for auditing and compliance.

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure that network communications are restricted through proper network segmentation, including VPC configurations for services like SageMaker.

7.1

8.1

Enable private network communication for cloud resources, including configuring VPC settings for SageMaker models to enhance security.