Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable VPC Only for SageMaker Domains

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SageMaker-005

Configure your SageMaker domains using the "VPC Only" network access type to enable fine-grained control on the network access to Amazon SageMaker Studio.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

To keep your SageMaker Studio notebooks secure, you can isolate them from the public Internet. You can achieve this by choosing the "VPC Only" network access type when setting up your SageMaker domain or using the CreateDomain API. When "VPC Only" is enabled, all SageMaker Studio traffic is routed through your VPC subnets, with internet access disabled by default. To provide secure internet access to your "VPC Only" domain, configure a NAT gateway with internet access in your Virtual Private Cloud (VPC) and ensure that your security groups allow outbound connections. If you need to use the default "Public Internet Access" mode, you can disable this rule from your Trend Cloud One™ – Conformity account.

Audit

To determine the network access type configured for your Amazon SageMaker domains, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Admin configurations, choose Domains.

04 Click on the name (link) of the Amazon SageMaker domain that you want to examine.

05 Select the Domain settings tab to access the configuration settings available for the selected SageMaker domain.

06 In the Network section, check the Network mode attribute value to determine the type of the network access configured for your domain. If Network mode is set to Public internet access, the selected SageMaker domain is configured to allow internet access, therefore, the Amazon SageMaker service provides public Internet access to your Studio notebooks.

07 Repeat steps no. 4 - 6 for each Amazon SageMaker domain available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-domains command (OSX/Linux/UNIX) to list the ID of each Amazon SageMaker domain created for the selected AWS cloud region. A SageMaker domain consists of an associated Amazon EFS volume, a list of authorized users, and a variety of security, application, policy, and VPC network configurations: 

aws sagemaker list-domains
  --region us-east-1
  --query 'Domains[*].DomainId'

02 The command output should return the requested SageMaker domain identifier(s): 

[
	"d-abcd1234abcd"
]

03 Run describe-domain command (OSX/Linux/UNIX) with the name of the Amazon SageMaker domain that you want to examine as the identifier parameter and custom output filters to describe the type of the network access configured for the selected SageMaker domain: 

aws sagemaker describe-domain
  --region us-east-1
  --domain-id "d-abcd1234abcd"
  --query 'AppNetworkAccessType'

04 The command output should return the network access type used by the selected domain: 

"PublicInternetOnly"

If the describe-domain command output returns "PublicInternetOnly", as shown in the output example above, the selected SageMaker domain is configured to allow internet access, therefore, the Amazon SageMaker service provides public Internet access to your Studio notebooks.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Audit process for other regions.

Remediation / Resolution

To enable "VPC Only" mode for your Amazon SageMaker domains and disable public Internet access, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Admin configurations, choose Domains.

04 Click on the name (link) of the Amazon SageMaker domain that you want to configure.

05 Select the Domain settings tab to access the configuration settings available for the selected SageMaker domain.

06 Choose Edit from the Network section and perform the following actions to change the network mode configured for your domain:

  1. For How do you want to connect to other AWS services? select Virtual Private Cloud (VPC) Only to enable the VPC Only mode for your SageMaker domain. With the VPC Only mode, the traffic is routed through the specified VPC and subnets and the Internet access is disabled by default. To allow secure internet access, make sure that your VPC network has a NAT gateway configured and your security groups allow outbound connections. For more details about the VPC Only feature requirements, consult the Amazon SageMaker official documentation.
  2. For Which VPC do you want to use for Studio? select the appropriate VPC network, VPC subnets, and security groups. The selected VPC network must have endpoints that enable connections between the VPC and supported services.
  3. Choose Submit to apply the configuration changes.

07 Repeat steps no. 4 - 6 for each Amazon SageMaker domain that you want to configure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run update-domain command (OSX/Linux/UNIX) to change the network mode configured for your Amazon SageMaker domain. To enable the "VPC Only" mode for the selected SageMaker domain, set the --app-network-access-type parameter value to VpcOnly, as shown in the example below. With "VPC Only", the traffic is routed through the Virtual Private Cloud (VPC) and the VPC subnets specified for the --subnet-ids parameter. To allow secure Internet access, make sure that your VPC network has a NAT gateway configured and your security groups allow outbound connections. For more details about the VPC Only feature requirements, consult the Amazon SageMaker official documentation: 

aws sagemaker update-domain
  --region us-east-1
  --domain-id "d-abcd1234abcd"
  --app-network-access-type "VpcOnly"
  --subnet-ids "subnet-01234abcd1234abcd" "subnet-0abcd1234abcd1234"
  --default-user-settings '{
	"ExecutionRole": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20240729T174060",
	"SecurityGroups": ["sg-0abcd1234abcd1234"]
  }'

02 The command output should return the Amazon Resource Name (ARN) of the modified SageMaker domain: 

{
	"DomainArn": "arn:aws:sagemaker:us-east-1:123456789012:domain/d-abcd1234abcd",
}

03 Repeat steps no. 1 and 2 for each Amazon SageMaker domain that you want to configure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Aug 5, 2024

Related SageMaker rules