SageMaker notebook internet access enabled
This product is not supported for your selected
Datadog site. (
).
Id: f3g4h5i6-j7k8-9lmn-0opq-12345abcdefg
Cloud Provider: aws
Framework: Terraform
Severity: High
Category: Networking and Firewall
Learn More
Description
Amazon SageMaker notebook instances with direct internet access enabled create potential security vulnerabilities by allowing unauthorized outbound connections and possible data exfiltration channels. When enabled, malicious code or compromised notebooks can directly communicate with external servers, bypassing network security controls and potentially leaking sensitive information or intellectual property. To secure SageMaker notebook instances, you should explicitly disable direct internet access as shown in the following example:
resource "aws_sagemaker_notebook_instance" "good_example" {
name = "example-notebook"
role_arn = "arn:aws:iam::123456789012:role/SageMakerRole"
direct_internet_access = "Disabled"
instance_type = "ml.t2.medium"
}
Avoid the insecure configuration that enables direct internet access:
resource "aws_sagemaker_notebook_instance" "bad_example" {
name = "example-notebook"
role_arn = "arn:aws:iam::123456789012:role/SageMakerRole"
direct_internet_access = "Enabled"
instance_type = "ml.t2.medium"
}
Compliant Code Examples
resource "aws_sagemaker_notebook_instance" "good_example" {
name = "example-notebook"
role_arn = "arn:aws:iam::123456789012:role/SageMakerRole"
direct_internet_access = "Disabled" # ✅ Direct internet access is correctly disabled
instance_type = "ml.t2.medium"
}
Non-Compliant Code Examples
resource "aws_sagemaker_notebook_instance" "bad_example" {
name = "example-notebook"
role_arn = "arn:aws:iam::123456789012:role/SageMakerRole"
direct_internet_access = "Enabled" # ❌ Direct internet access should be disabled
instance_type = "ml.t2.medium"
}
