Enable Network Isolation for SageMaker Models

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Inference, select Models.

04 Click on the name (link) of the SageMaker model that you want to examine, available in the Name column.

05 In the Network section, check the Enable network isolation attribute value to determine the Network Isolation feature status for your SageMaker model. If Enable network isolation is set to False, the Network Isolation feature is not enabled for the selected SageMaker model.

06 Repeat steps no. 4 and 5 for each Amazon SageMaker model available within the current AWS region.

07 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

01 Run list-models command (OSX/Linux/UNIX) to list the name of each Amazon SageMaker model available in the selected AWS cloud region:

aws sagemaker list-models
  --region us-east-1
  --query 'Models[*].ModelName'

02 The command output should return the requested SageMaker model names:

[
	"cc-ml-sampler-model",
	"cc-ml-sagemaker-endpoint"
]

03 Run describe-model command (OSX/Linux/UNIX) with the name of the Amazon SageMaker model that you want to examine as the identifier parameter and custom output filters to describe the Network Isolation feature status for the selected model:

aws sagemaker describe-model
  --region us-east-1
  --model-name cc-ml-sampler-model
  --query 'EnableNetworkIsolation'

04 The command output should return the requested feature status:

false

05 Repeat steps no. 3 and 4 for each Amazon SageMaker endpoint available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Inference, select Models.

04 Click on the name (link) of the SageMaker model that you want to re-create (i.e. source model) and note the model configuration information such as IAM role, container and network settings.

05 Navigate back to the Models page, choose Create model, and perform the following operations to create your new SageMaker model:

1. For Model settings, provide a unique name for your new model in the Model name box, and choose the IAM role used by the source SageMaker model from the IAM role dropdown list. If you want to create a new role, choose Create role using the role creation wizard and follow the setup process to create your new IAM role.
2. For Container definition 1, select the appropriate container input, configure the model artifacts and inference image settings, and provide the container environment variables (must match the container settings used by the source SageMaker model). If required, choose Add container to add more containers.
3. For Network, perform the following actions:
   1. Select Enable network isolation to enable network isolation for the new Amazon SageMaker model. When you enable network isolation, the containers are restricted from making any outbound network calls, including those to other AWS services such as Amazon S3. Additionally, no AWS credentials are provided to the container runtime environment.
   2. Select the ID of the Virtual Private Cloud (VPC) where you want to deploy your resources, from the VPC - optional dropdown list. For better security, AWS recommends using a private VPC.
   3. Once the VPC network is selected, choose the ID of the appropriate VPC subnet(s) from the Subnet(s) dropdown list.
   4. Select one or more security groups from the Security group(s) list, based on your access policy requirements.
4. (Optional) For Tags - optional, create any required tag sets, according to the source model tagging scheme.
5. Choose Create model to create your new, compliant Amazon SageMaker model.

06 Repeat steps no. 4 and 5 for each SageMaker model that you want to re-create, available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

01 Run create-model command (OSX/Linux/UNIX) to create a new SageMaker model. Include the --enable-network-isolation parameter in the command request to enable the Network Isolation feature for your new model. When Network Isolation is enabled, the containers are restricted from making any outbound network calls, including those to other AWS cloud services:

aws sagemaker create-model
  --region us-east-1
  --model-name cc-new-ml-sampler-model
  --containers Mode="SingleModel",ModelPackageName="arn:aws:sagemaker:us-east-1:123456789012:model-package/sagemaker-sequence-sampler12345-abcd1234abcd1234abcd1234abcd1234"
  --execution-role-arn "arn:aws:iam::123456789012:role/service-role/cc-sagemaker-iam-role"
  --vpc-config SecurityGroupIds="sg-0abcd1234abcd1234",Subnets="subnet-01234abcd1234abcd"
  --enable-network-isolation

02 The command output should return the Amazon Resource Name (ARN) of the new SageMaker model:

{
	"ModelArn": "arn:aws:sagemaker:us-east-1:123456789012:model/cc-new-ml-sampler-model"
}

03 Repeat steps no. 1 and 2 for each SageMaker model that you want to re-create, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.