SageMaker enabling internet access

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SageMaker enabling internet access

Metadata

Id: 88d55d94-315d-4564-beee-d2d725feab11

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

SageMaker notebook instances must have direct internet access disabled to prevent notebooks from initiating outbound connections. Outbound access can be used to exfiltrate sensitive data or download and execute malicious code.

In CloudFormation, AWS::SageMaker::NotebookInstance resources must include Properties.DirectInternetAccess set to Disabled. Resources that omit DirectInternetAccess, or set it to any other value, will be flagged.

MyNotebook:
  Type: AWS::SageMaker::NotebookInstance
  Properties:
    NotebookInstanceName: my-notebook
    InstanceType: ml.t2.medium
    RoleArn: arn:aws:iam::123456789012:role/SageMakerExecutionRole
    DirectInternetAccess: Disabled

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "Internet access and root access for Creating Notebook Instances"
Resources:
  Notebook:
    Type: AWS::SageMaker::NotebookInstance
    Properties:
      DirectInternetAccess: "Disabled"
      InstanceType: "ml.c4.2xlarge"
      RoleArn: "role"

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Internet access and root access for Creating Notebook Instances",
  "Resources": {
    "Notebook": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "Properties": {
        "DirectInternetAccess": "Disabled",
        "InstanceType": "ml.c4.2xlarge",
        "RoleArn": "role"
      }
    }
  }
}

Non-Compliant Code Examples

{
  "Resources": {
    "Notebook": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "Properties": {
        "InstanceType": "ml.c4.2xlarge",
        "RoleArn": "role",
        "DirectInternetAccess": "Enabled"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Internet access and root access for Creating Notebook Instances"
}

AWSTemplateFormatVersion: "2010-09-09"
Description: "Internet access and root access for Creating Notebook Instances"
Resources:
  Notebook:
    Type: AWS::SageMaker::NotebookInstance
    Properties:
      DirectInternetAccess: "Enabled"
      InstanceType: "ml.c4.2xlarge"
      RoleArn: "role"