Disable Direct Internet Access for Notebook Instances

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Notebook, select Notebook instances.

04 Click on the name (link) of the notebook instance that you want to examine, available in the Name column.

05 In the Network section, check the Direct internet access attribute value to determine if direct internet access is enabled for your notebook instance. If Direct internet access is set to Enabled, the selected Amazon SageMaker Studio notebook instance has direct internet access.

06 Repeat steps no. 4 and 5 for each Amazon SageMaker notebook instance launched within the current AWS region.

07 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

01 Run list-notebook-instances command (OSX/Linux/UNIX) to list the name of each SageMaker notebook instance provisioned in the selected AWS region:

aws sagemaker list-notebook-instances
  --region us-east-1
  --query 'NotebookInstances[*].NotebookInstanceName'

02 The command output should return the requested SageMaker notebook instance names:

[
	"cc-sagemaker-ml-instance",
	"cc-ml-notebook-instance"
]

03 Run describe-notebook-instance command (OSX/Linux/UNIX) with the name of the SageMaker notebook instance that you want to examine as the identifier parameter, to describe the Direct Internet Access feature status available for the selected notebook instance:

aws sagemaker describe-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance
  --query 'DirectInternetAccess'

04 The command output should return the requested feature status:

"Enabled"

05 Repeat steps no. 3 and 4 for each notebook instance provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Disable Direct Internet Access",
	"Resources": {
		"VpcNetwork": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16",
				"EnableDnsHostnames": true,
				"EnableDnsSupport": true,
				"InstanceTenancy": "default"
			}
		},
		"SageMakerInstanceExecutionRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"sagemaker.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"Path": "/",
				"ManagedPolicyArns": [
					"arn:aws:iam::aws:policy/AmazonSageMakerReadOnly"
				]
			}
		},
		"SageMakerNotebookSubnet": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"VpcId": {
					"Ref": "VpcNetwork"
				}
			}
		},
		"SageMakerNotebookInstance": {
			"Type": "AWS::SageMaker::NotebookInstance",
			"Properties": {
				"InstanceType": "ml.t2.large",
				"RoleArn": {
					"Fn::GetAtt": [
						"SageMakerInstanceExecutionRole",
						"Arn"
					]
				},
				"SecurityGroupIds": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				],
				"SubnetId": {
					"Ref": "SageMakerNotebookSubnet"
				},
				"DirectInternetAccess": "Disabled"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Disable Direct Internet Access
	Resources:
	VpcNetwork:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 10.0.0.0/16
		EnableDnsHostnames: true
		EnableDnsSupport: true
		InstanceTenancy: default
	SageMakerInstanceExecutionRole:
		Type: AWS::IAM::Role
		Properties:
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- sagemaker.amazonaws.com
				Action:
				- sts:AssumeRole
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonSageMakerReadOnly
	SageMakerNotebookSubnet:
		Type: AWS::EC2::Subnet
		Properties:
		VpcId: !Ref 'VpcNetwork'
	SageMakerNotebookInstance:
		Type: AWS::SageMaker::NotebookInstance
		Properties:
		InstanceType: ml.t2.large
		RoleArn: !GetAtt 'SageMakerInstanceExecutionRole.Arn'
		SecurityGroupIds:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
		SubnetId: !Ref 'SageMakerNotebookSubnet'
		DirectInternetAccess: Disabled

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_vpc" "vpc-network" {
	cidr_block = "10.0.0.0/16"
	enable_dns_hostnames = true
	enable_dns_support = true
	instance_tenancy = "default"
}

resource "aws_iam_role" "iam-role" {
	name = "sagemaker-instance-execution-role"
	path = "/"
	managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonSageMakerReadOnly" ]
	assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
					"Service": "sagemaker.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF
}

resource "aws_subnet" "sagemaker-notebook-subnet" {
	vpc_id     = aws_vpc.vpc-network.id
	cidr_block = "10.0.1.0/24"
}

resource "aws_sagemaker_notebook_instance" "sagemaker-notebook-instance" {
	name            = "cc-prod-notebook-instance"
	instance_type   = "ml.t2.medium"
	role_arn        = aws_iam_role.iam-role.arn
	subnet_id       = aws_subnet.sagemaker-notebook-subnet.id
	security_groups = [ "sg-0abcd1234abcd1234", "sg-01234abcd1234abcd" ]

	# Disable Direct Internet Access
	direct_internet_access = Disabled
}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Notebook, select Notebook instances.

04 Click on the name of the notebook instance that you want to re-create (i.e. source instance) and note the instance configuration information such as instance type, platform identifier, IAM permissions, and network configuration.

05 Choose Create notebook instance and perform the following operations to create your new SageMaker notebook instance:

1. For Notebook instance name, provide a unique name for your new notebook instance.
2. For Notebook instance type, select the instance type for your notebook instance (must match the instance type of the source, non-compliant notebook instance).
3. For Platform identifier, select the appropriate software platform (must match the platform used by the source notebook instance).
4. Choose Additional configuration, select the notebook lifecycle configuration (optional), choose the minimum IMDS version, and specify the volume size of the notebook instance in GB (must match the volume size of the source notebook instance).
5. For IAM role, choose the IAM role used by the source, non-compliant notebook instance. If you want to create a new role, choose Create role using the role creation wizard and follow the setup process to create your new IAM role.
6. (Optional) For Root access - optional, choose Disable - Don't give users root access to the notebook to deny root access to your new SageMaker netbook instance.
7. For Encryption key - optional, select the name (alias) of the Amazon KMS Customer Managed Key (CMK) that you want to use to encrypt your notebook data. If no KMS key is selected, the notebook data is encrypted using an AWS-managed key (default).
8. Choose Network - optional and perform the following actions:
   1. Select the ID of the Virtual Private Cloud (VPC) where you want to deploy your new notebook instance.
   2. Once the VPC network is selected, choose the ID of the appropriate VPC subnet from the Subnet dropdown list.
   3. Select one or more security groups from the Security group(s) list, based on your access policy requirements.
   4. For Direct internet access, select Disable — Access the internet through a VPC to disable direct internet access to your notebook instance. If internet access is required to download packages and train or host models, make sure that the selected VPC network has a NAT gateway installed and the specified security groups allow outbound connections.
9. (Optional) Choose Git repositories - optional and select any required Git repositories. Repositories are added to your home directory.
10. (Optional) Choose Tags - optional and create any required tag sets, according to the source instance tagging scheme.
11. Choose Create notebook instance to launch your new Amazon SageMaker notebook instance.

06 If required, once the new notebook instance is available, you can transfer your data from the source instance to the new (destination) instance.

07 (Optional) You can delete the source notebook instance to avoid further charges. To remove the unneeded SageMaker notebook instance, perform the following actions:

1. Select the SageMaker notebook instance that you want to remove.
2. Choose Actions and select Stop to stop the instance.
3. Once the instance is stopped, choose again Actions and select Delete.
4. In the confirmation box, choose Delete to remove the notebook instance from your AWS cloud account.

08 Repeat steps no. 4 – 7 for each SageMaker notebook instance that you want to redeploy, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

01 Run describe-notebook-instance command (OSX/Linux/UNIX) with the name of the SageMaker notebook instance that you want to re-create as the identifier parameter, to describe the configuration information available for the selected notebook instance:

aws sagemaker describe-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance

02 The command output should return the requested configuration details. This information is required when you launch your new SageMaker notebook instance:

{
	"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-sagemaker-ml-instance",
	"NotebookInstanceName": "cc-sagemaker-ml-instance",
	"NotebookInstanceStatus": "InService",
	"Url": "cc-sagemaker-ml-instance-paeo.notebook.us-east-1.sagemaker.aws",
	"InstanceType": "ml.t3.large",
	"RoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionPolicy-20240320T204001",
	"VolumeSizeInGB": 50,
	"RootAccess": "Disabled",
	"PlatformIdentifier": "notebook-al2-v2",
	"InstanceMetadataServiceConfiguration": {
		"MinimumInstanceMetadataServiceVersion": "2"
	}
}

03 Run create-notebook-instance command (OSX/Linux/UNIX) with the configuration information returned at the previous step to relaunch your Amazon SageMaker notebook instance using a different network configuration. To deploy your notebook instance to a Virtual Private Cloud (VPC), provide the ID of the VPC subnet that you want to use for your instance and the ID(s) of the security group(s) required for access control. To disable direct internet access for the your notebook instance, set --direct-internet-access to Disabled in the command request. If internet access is required to download packages and train or host models, make sure that the selected VPC network has a NAT gateway installed and the specified security groups allow outbound connections:

aws sagemaker create-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-new-sagemaker-ml-instance
  --instance-type ml.t3.large
  --role-arn arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20240320T204001
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --subnet-id subnet-abcd1234abcd1234a
  --security-group-ids sg-aabbccdd012345678
  --direct-internet-access Disabled

04 The command output should return the ARN of the new Amazon SageMaker notebook instance:

{
	"NotebookInstanceArn": "arn:aws:sagemaker:us-east-1:123456789012:notebook-instance/cc-new-sagemaker-ml-instance"
}

05 If required, once the new notebook instance is available, you can transfer your data from the source instance to the new (destination) instance.

06 (Optional) You can delete the source notebook instance to avoid further charges. To remove the unnecessary SageMaker notebook instance, run delete-notebook-instance command (OSX/Linux/UNIX), with the name of the notebook instance that you want to delete as the identifier parameter (the command does not produce an output):

aws sagemaker delete-notebook-instance
  --region us-east-1
  --notebook-instance-name cc-sagemaker-ml-instance

07 Repeat steps no. 1 – 6 for each SageMaker notebook instance that you want to re-create, available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.