Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Root Access for SageMaker Notebook Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SageMaker-007

Ensure that your Amazon SageMaker notebook instances are configured to deny root access in order to prevent unauthorized users from gaining elevated privileges and potentially compromising the system.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Disabling root access on SageMaker notebook instances boosts security by restricting user ability to modify critical system files or install unauthorized software. This prevents accidental or malicious tampering that could compromise the instance or data.

Audit

To determine if your Amazon SageMaker notebook instances are configured to prevent root access, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Notebook, select Notebook instances.

04 Click on the name (link) of the notebook instance that you want to examine, available in the Name column.

05 In the Permissions and encryption section, check the Root access attribute value to determine if root access is enabled for your notebook instance. If Root access is set to Enabled, root access to the selected Amazon SageMaker notebook instance is enabled.

06 Repeat steps no. 4 and 5 for each Amazon SageMaker notebook instance available within the current AWS region.

07 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

01 Run list-notebook-instances command (OSX/Linux/UNIX) to list the name of each SageMaker notebook instance provisioned in the selected AWS region: 

aws sagemaker list-notebook-instances
  --region us-east-1
  --query 'NotebookInstances[*].NotebookInstanceName'

02 The command output should return the requested SageMaker notebook instance names: 

[
	"cc-sagemaker-ml-instance",
	"cc-ml-application-instance"
]

03 Run describe-notebook-instance command (OSX/Linux/UNIX) with the name of the Amazon SageMaker notebook instance that you want to examine as the identifier parameter and custom output filters to determine if root access is enabled for the selected notebook instance: 

aws sagemaker describe-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance
  --query 'RootAccess'

04 The command output should return the requested information: 

"Enabled"

If the command output returns "Enabled", as shown in the output example above, root access is enabled for the selected Amazon SageMaker notebook instance.

05 Repeat steps no. 3 and 4 for each SageMaker notebook instance available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To disable root access for your Amazon SageMaker notebook instances, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Notebook, select Notebook instances.

04 Select the SageMaker notebook instance that you want to configure, choose Actions, and select Stop to stop the instance.

05 Once the instance is stopped, choose again Actions, and select Update settings.

06 In the Permissions and encryption section, under Root access - optional, choose Disable - Don't give users root access to the notebook to disable root access for the selected Amazon SageMaker notebook instance.

07 Choose Update notebook instance to apply the configuration changes.

08 Once the instance status becomes Stopped, choose Actions, and select Start to start the notebook instance.

09 Repeat steps no. 4 – 8 for each SageMaker notebook instance that you want to configure, available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run stop-notebook-instance command (OSX/Linux/UNIX) to stop the Amazon SageMaker notebook instance that you want to configure (the command does not produce an output): 

aws sagemaker stop-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance

02 Once the selected instance is stopped, run update-notebook-instance command (OSX/Linux/UNIX) with the name of the SageMaker notebook instance that you want to configure as the identifier parameter, to disable root access for the selected notebook instance (the command does not return an output): 

aws sagemaker update-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance
  --root-access Disabled

03 Run start-notebook-instance command (OSX/Linux/UNIX) to stop the Amazon SageMaker notebook instance that you want to configure (the command does not produce an output): 

aws sagemaker start-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance

04 Repeat steps no. 1 – 3 for each SageMaker notebook instance that you want to configure, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 12, 2024

Related SageMaker rules