acquires Cloud Conformity
Open menu

Notebook Direct Internet Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Risk level: Medium (should be achieved)
Rule ID: SageMaker-004

Ensure that Amazon SageMaker notebook instances are not publicly accessible

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

When your AWS SageMaker notebook instances are publicly accessible, any machine outside the VPC can establish a connection to these instances, increasing the attack surface and the opportunity for malicious activity.

Audit

To determine if your VPC-based Amazon SageMaker notebook instances don't have direct internet access feature enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.

03 In the navigation panel, under Notebook, choose Notebook instances.

04 Select the SageMaker notebook instance that you want to examine and click on the instance name (link).

05 On the selected instance configuration page, within Network section, check for any VPC subnet IDs and security group IDs. If these network configuration details are not available, instead the following status is displayed: "No custom VPC settings applied.", the notebook instance is not running inside a VPC network, therefore you can follow the steps described in this conformity rule to deploy the instance within a VPC. Otherwise, if the notebook instance is running inside a VPC, check the Direct internet access configuration attribute value. If the attribute value is set to Enabled, the selected Amazon SageMaker notebook instance is publicly accessible.

06 Repeat step no. 4 and 5 for each Amazon SageMaker notebook instance available in the selected AWS region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-notebook-instances command (OSX/Linux/UNIX) to list the names of all SageMaker notebook instances available in the selected Amazon Web Services region:

aws sagemaker list-notebook-instances
	--region us-east-1
	--query 'NotebookInstances[*].NotebookInstanceName'

02 The command output should return the requested notebook instance names:

[
    "cc-sagemaker-notebook",
    "cc-ml-application-instance",
    "cc-jupyter-based-notebook"
]

03 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to examine as identifier and custom query filters to return the ID of the VPC subnet where the selected notebook instance was deployed:

aws sagemaker describe-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-sagemaker-notebook
	--query 'SubnetId'

04 The command output should return the one of the following values:

  1. If the command output returns null, as shown in the example below, the AWS SageMaker notebook instance is not running inside a VPC, therefore the audit process ends here. To deploy the instance within a Virtual Private Cloud, follow the steps outlined in this conformity rule:
    null
    
  2. If the describe-notebook-instance command output returns the requested information, i.e. the ID of the VPC subnet where the instance was deployed, as shown in the example below, continue the audit process with the next step:
    "subnet-abcd1234"
    

05 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to examine, currently running within a VPC, and custom query filters to get the status of the direct internet access feature for the selected instance:

aws sagemaker describe-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-sagemaker-notebook
	--query 'DirectInternetAccess'

06 The command output should return the direct internet access feature status:

"Disabled"

If the command output returns Enabled, the selected Amazon SageMaker notebook instance is publicly accessible.

07 Repeat steps no. 3 – 6 for each AWS SageMaker notebook instance provisioned in the current AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire process for other regions.

Remediation / Resolution

To ensure that your Amazon SageMaker notebook instances do not have direct internet access, you need to re-create these instances with the necessary network configuration. To disable direct internet access for an AWS SageMaker notebook instance deployed within a VPC, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.

03 In the navigation panel, under Notebook, choose Notebook instances.

04 Click Create notebook instance button from the dashboard top menu to start the instance setup process.

05 On Create notebook instance page, within Notebook instance settings section, perform the following:

  1. In the Notebook instance name box, enter a name for the new AWS SageMaker notebook instance.
  2. From Notebook instance type dropdown list, select the same instance type as the source notebook instance.
  3. From Notebook instance type dropdown list, choose the same IAM role as the one created for the source notebook instance.
  4. From VPC – optional dropdown list, select the ID of the VPC where you want to deploy your new SageMaker notebook instance.
  5. From Subnet dropdown list, choose the ID of a subnet available within the VPC network selected at the previous step.
  6. From Security group(s) dropdown list, select the security group(s) used by the source SageMaker notebook instance.
  7. For Direct internet access, select Disable option.
  8. From Lifecycle configuration – optional dropdown list, select the available lifecycle configuration to customize your notebook environment with scripts and plugins.
  9. From Encryption key – optional dropdown list, select the alias (name) of the AWS KMS key that you want to use for encrypting the notebook instance storage volumes.

06 In the Tags – optional section, create any necessary tags, based on the source notebook instance tagging structure.

07 Click Create notebook instance to launch your new AWS SageMaker notebook instance.

08 Once the notebook instance is created, copy the data from the source instance to the destination instance.

09 Remove the source SageMaker notebook instance from your AWS account to avoid further charges. To terminate the necessary SageMaker instance, perform the following:

  1. Select the notebook instance that you want to remove (see Audit section part I to identify the right SageMaker resource).
  2. Click on the Actions dropdown menu and select the Delete option.
  3. Within Delete <notebook-instance-name> dialog box, click the Delete button to confirm the action.

10 Repeat steps no. 4 – 9 to disable direct internet access for other SageMaker notebook instances, available in the selected region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-notebook-instance command (OSX/Linux/UNIX) using the name of the SageMaker notebook instance that you want to re-create as identifier (see Audit section part II to identify the right resource) to describe the selected instance configuration metadata, information required later when the new instance is launched:

aws sagemaker describe-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-sagemaker-notebook

02 The command output should return the selected instance configuration metadata:

{
    "NetworkInterfaceId": "eni-123456789abcdabcd",
    "NotebookInstanceStatus": "InService",
    "Url": "cc-sagemaker-notebook.notebook.us-east-1.sagemaker.aws",
    "RoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180922T151558",
    "NotebookInstanceName": "cc-sagemaker-notebook",
    "CreationTime": 1537618639.017,
    "NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-notebook",
    "SecurityGroups": [
        "sg-aaaabbbb012345678"
    ],
    "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "SubnetId": "subnet-abcd1234",
    "LastModifiedTime": 1537618748.674,
    "InstanceType": "ml.t2.medium"
}

03 Run create-notebook-instance command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the required SageMaker notebook instance (see Audit section part II to identify the right resource) and disable direct internet access for the new instance:

aws sagemaker create-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-new-sagemaker-notebook
	--instance-type ml.t2.medium
	--role-arn arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20180922T151558
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
	--subnet-id subnet-abcd1234
	--security-group-ids sg-aaaabbbb012345678
	--direct-internet-access Disabled

04 If successful, the command output should return the ARN of the new SageMaker notebook instance:

{
   "NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-new-sagemaker-notebook"
}

05 Copy the data from the source notebook instance to the destination notebook instance.

06 After your data is copied to the new instance, you can remove the source SageMaker notebook instance in order to reduce AWS costs. To terminate the instance, run delete-notebook-instance command (OSX/Linux/UNIX) using the name of the source notebook instance as identifier (the command does not produce an output):

aws sagemaker delete-notebook-instance
	--region us-east-1
	--notebook-instance-name cc-sagemaker-notebook

07 Repeat steps no. 1 – 6 to disable direct internet access for other SageMaker notebook instances, available in the selected region.

08 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Oct 15, 2018

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to