Configure your SageMaker domains using the "VPC Only" network access type to enable fine-grained control on the network access to Amazon SageMaker Studio.
This rule can help you work with the AWS Well-Architected Framework.
To keep your SageMaker Studio notebooks secure, you can isolate them from the public Internet. You can achieve this by choosing the "VPC Only" network access type when setting up your SageMaker domain or using the CreateDomain API. When "VPC Only" is enabled, all SageMaker Studio traffic is routed through your VPC subnets, with internet access disabled by default. To provide secure internet access to your "VPC Only" domain, configure a NAT gateway with internet access in your Virtual Private Cloud (VPC) and ensure that your security groups allow outbound connections. If you need to use the default "Public Internet Access" mode, you can disable this rule from your Trend Micro Cloud One™ – Conformity account.
Audit
To determine the network access type configured for your Amazon SageMaker domains, perform the following operations:
Note: Checking Amazon SageMaker domain's configuration for network access using AWS Management Console is not currently supported.Remediation / Resolution
To enable VPC Only for your Amazon SageMaker domains and disable public Internet access, re-deploy them with the appropriate network access configuration. To achieve this, perform the following operations:
References
- AWS Documentation
- Amazon SageMaker FAQs
- Infrastructure Security in Amazon SageMaker
- Connect SageMaker Studio Classic Notebooks in a VPC to External Resources
- CreateDomain
- AWS Command Line Interface (CLI) Documentation
- list-domains
- describe-domain
- delete-user-profile
- delete-domain
- create-domain
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable VPC Only for SageMaker Domains
Risk Level: Medium