Data at risk

SageMaker notebook instance has direct internet access

Risk Level

Informational (4)

Platform(s)

Description

AWS SageMaker is a service that enables to create, train, and deploy machine-learning models in the cloud. AWS SageMaker notebook instance provides a Jupyter notebook app through a fully managed machine learning AWS EC2 instance, and used to perform advanced data exploration. It was found that AWS SageMaker notebook instance has a direct internet access. This could result in unwanted access to your data, potentially increasing the attack vector for malicious behavior. Although the system prohibits unauthenticated access, using SageMaker direct access does not stand with security best practices
  • Recommended Mitigation

    It is recommended to add a security layer by configuring the instance with a VPC and change the default setting to 'Disable — Access the internet through a VPC'. By doing so, you prevent SageMaker from providing internet access to your notebook instance. As a result, the notebook instance won't be able to train or host models unless your VPC has an interface endpoint (PrivateLink) or a NAT gateway, and your security groups allow outbound connections. For more details please see https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html