Profile Applicability:
• Level 1

Description:
Amazon SageMaker Models can be deployed with VPC configurations that restrict network access to the model endpoints. Configuring VPC settings ensures that the model endpoints are accessible only within the specified Virtual Private Cloud, enhancing security by isolating the model from public internet access.

Rationale:
By associating SageMaker Models with a VPC, you limit access to the models to trusted networks only, reducing the attack surface. This helps prevent unauthorized access and potential data exfiltration from the model endpoints. It is especially important when models process sensitive or proprietary data.

Impact:
Pros:

  • Enhances security by isolating model endpoints within a private network.

  • Helps meet regulatory compliance by controlling network boundaries.

  • Reduces risk of data exposure through public endpoints.

Cons:

  • May increase complexity in network setup and require proper routing and security group rules.

  • Could restrict legitimate access if VPC configuration is not correctly managed.

Default Value:
By default, SageMaker Models are not associated with any VPC and may be publicly accessible.

Pre-requisites:

  • Properly configured VPC with subnets and security groups.

  • IAM permissions to view and modify SageMaker Model configurations.


Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to SageMaker > Models.

  3. Select a model to review its configuration.

  4. Check if the model has a VPC configuration attached (look for VPC ID, Subnet IDs, Security Group IDs).

  5. Confirm that the VPC settings are configured and not empty.

Using AWS CLI:

  1. List SageMaker models:

    aws sagemaker list-models

  2. Describe a specific model:

    aws sagemaker describe-model --model-name <model-name>

  3. Look for the VpcConfig section in the output.

  4. Verify that VpcConfig includes valid Subnets and SecurityGroupIds arrays (not empty).


Implementation Plan:

Using AWS Console:

  1. When creating or updating a SageMaker Model, under the Network section, enable VPC configuration.

  2. Select the appropriate VPC, subnets, and security groups.

  3. Save and deploy the model.

Using AWS CLI:

  1. Prepare a JSON configuration file for the model with a VpcConfig section, for example:

"VpcConfig": { "SecurityGroupIds": ["sg-xxxxxxxx"], "Subnets": ["subnet-xxxxxxxx", "subnet-yyyyyyyy"] }

  1. Create or update the model with the configuration:
    aws sagemaker create-model --cli-input-json file://model-config.json


Backout Plan:

Using AWS Console:

  1. Edit the model configuration.

  2. Remove or disable the VPC configuration.

  3. Save changes and redeploy the model if necessary.

Using AWS CLI:

  1. Modify the model configuration JSON by removing the VpcConfig section or setting it to null.

  2. Update or recreate the model without VPC configuration.


References:

  • AWS SageMaker API Documentation: CreateModelVpcConfig parameter

  • AWS SageMaker User Guide: Securing Models with VPC

  • CIS AWS Foundations Benchmark (networking and isolation best practices)