Security Hub controls for SageMaker AI
These AWS Security Hub controls evaluate the Amazon SageMaker AI service and resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v4.0.1/1.4.4
Category: Protect > Secure network configuration
Severity: High
Resource type:
AWS::SageMaker::NotebookInstance
AWS Config rule:
sagemaker-notebook-no-direct-internet-access
Schedule type: Periodic
Parameters: None
This control checks whether direct internet access is disabled for an SageMaker AI notebook
instance. The control fails if the DirectInternetAccess
field is enabled
for the notebook instance.
If you configure your SageMaker AI instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable—Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, your VPC must have either an interface endpoint (AWS PrivateLink) or a NAT gateway and a security group that allows outbound connections. To learn more about how to connect a notebook instance to resources in a VPC, see Connect a notebook instance to resources in a VPC in the Amazon SageMaker AI Developer Guide. You should also ensure that access to your SageMaker AI configuration is limited to only authorized users. Restrict IAM permissions that permit users to change SageMaker AI settings and resources.
Remediation
You can't change the internet access setting after creating a notebook instance. Instead, you can stop, delete, and recreate the instance with blocked internet access. To delete a notebook instance that permits direct internet access, see Use notebook instances to build models: Clean up in the Amazon SageMaker AI Developer Guide. To recreate a notebook instance that denies internet access, see Create a notebook instance. For Network, Direct internet access, choose Disable—Access the internet through a VPC.
[SageMaker.2] SageMaker AI notebook instances should be launched in a custom VPC
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration > Resources within VPC
Severity: High
Resource type:
AWS::SageMaker::NotebookInstance
AWS Config rule:
sagemaker-notebook-instance-inside-vpc
Schedule type: Change triggered
Parameters: None
This control checks if an Amazon SageMaker AI notebook instance is launched within a custom virtual private cloud (VPC). This control fails if a SageMaker AI notebook instance is not launched within a custom VPC or if it is launched in the SageMaker AI service VPC.
Subnets are a range of IP addresses within a VPC. We recommend keeping your resources inside a custom VPC whenever possible to ensure secure network protection of your infrastructure. An Amazon VPC is a virtual network dedicated to your AWS account. With an Amazon VPC, you can control the network access and internet connectivity of your SageMaker AI Studio and notebook instances.
Remediation
You can't change the VPC setting after creating a notebook instance. Instead, you can stop, delete, and recreate the instance. For instructions, see Use notebook instances to build models: Clean up in the Amazon SageMaker AI Developer Guide.
[SageMaker.3] Users should not have root access to SageMaker AI notebook instances
Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2)
Category: Protect > Secure access management > Root user access restrictions
Severity: High
Resource type:
AWS::SageMaker::NotebookInstance
AWS Config rule:
sagemaker-notebook-instance-root-access-check
Schedule type: Change triggered
Parameters: None
This control checks whether root access is turned on for an Amazon SageMaker AI notebook instance. The control fails if root access is turned on for a SageMaker AI notebook instance.
In adherence to the principal of least privilege, it is a recommended security best practice to restrict root access to instance resources to avoid unintentionally over provisioning permissions.
Remediation
To restrict root access to SageMaker AI notebook instances, see Control root access to a SageMaker AI notebook instance in the Amazon SageMaker AI Developer Guide.
[SageMaker.4] SageMaker AI endpoint production variants should have an initial instance count greater than 1
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 SC-5, NIST.800-53.r5 SC-36, NIST.800-53.r5 SA-13
Category: Recover > Resilience > High availability
Severity: Medium
Resource type:
AWS::SageMaker::EndpointConfig
AWS Config rule:
sagemaker-endpoint-config-prod-instance-count
Schedule type: Periodic
Parameters: None
This control checks whether production variants of an Amazon SageMaker AI endpoint have an initial instance count greater than 1. The control fails if the endpoint's production variants have only 1 initial instance.
Production variants running with an instance count greater than 1 permit multi-AZ instance redundancy managed by SageMaker AI. Deploying resources across multiple Availability Zones is an AWS best practice to provide high availability within your architecture. High availability helps you to recover from security incidents.
Note
This control applies only to instance-based endpoint configuration.
Remediation
For more information about the parameters of endpoint configuration, see Create an endpoint configuration in the Amazon SageMaker AI Developer Guide.
[SageMaker.5] SageMaker models should block inbound traffic
Category: Protect > Secure network configuration > Resources not publicly accessible
Severity: Medium
Resource type:
AWS::SageMaker::Model
AWS Config rule: sagemaker-model-isolation-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon SageMaker AI hosted model blocks inbound network traffic. The control fails if the EnableNetworkIsolation
parameter for the hosted model is
set to False
.
SageMaker AI training and deployed inference containers are internet-enabled by default. If you don't want SageMaker AI to provide external network access to your training or inference containers, you can enable network isolation. If you enable network isolation, the containers can't make any outbound network calls, even to other AWS services. Additionally, no AWS credentials are made available to the container runtime environment. Enabling network isolation helps prevent unintended access to your SageMaker AI resources from the internet.
Remediation
For more information about network isolation for SageMaker AI models, see Run training and inference containers in internet-free mode
in the Amazon SageMaker AI Developer Guide. You can enable network isolation when you create your training job or model by setting the value of the EnableNetworkIsolation
parameter to True
.