Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable VPC Only for SageMaker Domains

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Configure your SageMaker domains using the "VPC Only" network access type to enable fine-grained control on the network access to Amazon SageMaker Studio.

This rule can help you work with the AWS Well-Architected Framework.

Security

To keep your SageMaker Studio notebooks secure, you can isolate them from the public Internet. You can achieve this by choosing the "VPC Only" network access type when setting up your SageMaker domain or using the CreateDomain API. When "VPC Only" is enabled, all SageMaker Studio traffic is routed through your VPC subnets, with internet access disabled by default. To provide secure internet access to your "VPC Only" domain, configure a NAT gateway with internet access in your Virtual Private Cloud (VPC) and ensure that your security groups allow outbound connections. If you need to use the default "Public Internet Access" mode, you can disable this rule from your Trend Micro Cloud One™ – Conformity account.

Audit

To determine the network access type configured for your Amazon SageMaker domains, perform the following operations:

Note: Checking Amazon SageMaker domain's configuration for network access using AWS Management Console is not currently supported.

Using AWS CLI

01 Run list-domains command (OSX/Linux/UNIX) to list the ID of each Amazon SageMaker domain created for the selected AWS cloud region. A SageMaker domain consists of an associated Amazon EFS volume, a list of authorized users, and a variety of security, application, policy, and VPC network configurations: 

aws sagemaker list-domains
  --region us-east-1
  --query 'Domains[*].DomainId'

02 The command output should return the requested SageMaker domain identifier(s): 

[
	"d-abcd1234abcd"
]

03 Run describe-domain command (OSX/Linux/UNIX) with the name of the Amazon SageMaker domain that you want to examine as the identifier parameter and custom output filters to describe the type of the network access configured for the selected SageMaker domain: 

aws sagemaker describe-domain
  --region us-east-1
  --domain-id "d-6go6mhx1sb9b"
  --query 'AppNetworkAccessType'

04 The command output should return the network access type used by the selected domain: 

"PublicInternetOnly"

If the describe-domain command output returns "PublicInternetOnly", as shown in the output example above, the selected SageMaker domain is configured to allow internet access, therefore, the Amazon SageMaker service provides public Internet access to your Studio notebooks.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Audit process for other regions.

Remediation / Resolution

To enable VPC Only for your Amazon SageMaker domains and disable public Internet access, re-deploy them with the appropriate network access configuration. To achieve this, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SageMaker console available at https://console.aws.amazon.com/sagemaker/.

03 In the main navigation panel, under Admin configurations, choose Domains.

04 To delete your SageMaker domain so that you can re-create it with the appropriate network configuration, you have to remove any user profiles created for the domain. To delete the existing user profiles, perform the following actions:

  1. Click on the name (link) of the SageMaker domain that you want to re-create.
  2. Select the User profiles tab, click on the user profile that you want to remove, and choose Edit.
  3. On the General settings page, in the Delete user section, choose Delete user to remove the selected user profile from your domain.
  4. On the Delete user confirmation page, choose Yes, delete user, type delete in the required field, and select Delete to confirm deletion.

05 After all user profiles are successfully removed, navigate back to the Domains page and perform the following operations to delete the non-compliant domain:

  1. Select the SageMaker domain that you want to delete and choose Edit to access the domain's settings.
  2. On the General settings page, in the Delete domain section, choose Delete domain to remove the selected domain.
  3. On the Delete Domain confirmation page, choose Yes, delete my Domain, type delete in the required field, and select Delete to confirm deletion.

06 To re-deploy your Amazon SageMaker domain with the VPC Only network access type, choose Create domain.

07 On the Set up SageMaker Domain page, select Set up for organizations, choose Set up, and perform the following actions:

  1. For Step 1 Domain details, provide a name for your new SageMaker domain in the Domain name box. Choose Next to continue the setup.
  2. For Step 2 Users and ML Activities, select the appropriate authentication method, add the users that will use SageMaker, and choose the default execution role (use the execution role created for the source, non-compliant domain). You can also select specific ML activities in order to create a new role. Choose Next to continue.
  3. For Step 3 Applications, configure the application settings for your users. You can edit these settings later. Choose Next to continue the setup.
  4. For Step 4 Network, configure the network settings for your new SageMaker domain:
    1. For How do you want to connect to other AWS services? select Virtual Private Cloud (VPC) Only to enable the VPC Only mode for your new domain. With the VPC Only mode, the traffic is routed through the specified VPC and subnets and the Internet access is disabled by default. To allow secure internet access, make sure that your VPC network has a NAT gateway configured and your security groups allow outbound connections. For more details about the VPC Only feature requirements, consult the Amazon SageMaker official documentation.
    2. For Which VPC do you want to use for Studio? select the appropriate VPC network, VPC subnets, and security groups. The selected VPC network must have endpoints that enable connections between the VPC and supported services.
    3. Choose Next to continue.
  5. For Step 5 Storage, select an Amazon KMS Customer Managed Key (CMK) for encrypting your data, and choose the default and maximum EBS storage volume size for JupyterLab and CodeEditor spaces (optional). Choose Next to continue the setup.
  6. For Step 6 Review and create, review the domain configuration settings, and choose Submit to create your new Amazon SageMaker domain.

08 Repeat steps no. 4 - 7 for each Amazon SageMaker domain that you want to re-create, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 To delete your Amazon SageMaker domain in order to re-create it with the appropriate network configuration, you have to remove all user profiles created for the domain. Run delete-user-profile command (OSX/Linux/UNIX) to remove the specified user profile from the selected domain (the command does not produce an output). Repeat this step to delete all the user profiles created for the selected SageMaker domain: 

aws sagemaker delete-user-profile
  --domain-id d-abcd1234abcd
  --user-profile-name cc-sagemaker-user

02 Run delete-domain command (OSX/Linux/UNIX) to remove the Amazon SageMaker domain from your AWS cloud account (the command does not produce an output): 

aws sagemaker delete-domain
  --domain-id d-abcd1234abcd

03 To redeploy your Amazon SageMaker domain with the VPC Only network access type, run create-domain command (OSX/Linux/UNIX). To enable the VPC Only mode for the new domain, use VpcOnly for the --app-network-access-type parameter value, as shown in the example below. With VPC Only, the traffic is routed through the Virtual Private Cloud (VPC) and the VPC subnets specified for the --default-user-settings command parameter. To allow secure internet access, make sure that your VPC network has a NAT gateway configured and your security groups allow outbound connections. For more details about the VPC Only feature requirements, consult the Amazon SageMaker official documentation. 

aws sagemaker create-domain
  --domain-name cc-sagemaker-private-domain
  --auth-mode IAM
  --subnet-ids subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
  --vpc-id vpc-0abcdabcdabcdabcd
  --app-network-access-type VpcOnly
  --default-user-settings '{
		"ExecutionRole": "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-123456789012345",
		"SecurityGroups": [
			"sg-01234123412341234"
		],
		"JupyterServerAppSettings": {
			"DefaultResourceSpec": {
				"SageMakerImageArn": "arn:aws:sagemaker:us-east-1:081325390199:image/jupyter-server",
				"InstanceType": "system"
			}
		}
	}'

04 The command output should return the ARN and the full URL of the new SageMaker domain: 

{
	"DomainArn": "arn:aws:sagemaker:us-east-1:123456789012:domain/d-abcd1234abcd",
	"Url": "https://d-abcd1234abcd.studio.us-east-1.sagemaker.aws"
}

05 Repeat steps no. 1 - 4 for each Amazon SageMaker domain that you want to re-create, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jan 15, 2024

Related SageMaker rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable VPC Only for SageMaker Domains

Risk Level: Medium