Direct Internet Access Restriction for SageMaker Notebook Instances

Rule Description

Troubleshooting Steps

2. 1.
   Check the network configurations for the SageMaker notebook instance to ensure there is no direct internet access.
4. 2.
   Verify the security group and network ACL settings to ensure that outbound internet traffic is blocked.
6. 3.
   Check if there are any VPC endpoints configured that might allow internet access.

Remediation Steps

2. 1.

   Update VPC Route Tables:

   • Navigate to the VPC console.
   • Select the VPC where the SageMaker notebook instance resides.
   • Edit the route table associated with the subnet of the notebook instance.
   • Remove the default route that allows internet access (0.0.0.0/0) or any specific routes allowing internet access.
   • Add specific routes for internal resources or services as needed.
4. 2.

   Update Security Groups:

   • Go to the EC2 console.
   • Find the security group associated with the SageMaker notebook instance.
   • Edit the outbound rules of the security group to deny all traffic or allow traffic only to specific destinations within the VPC.
6. 3.

   Disable Public IP Assignment:

   • If the SageMaker notebook instance has a public IP, disassociate it to prevent direct internet access.
8. 4.

   Use Private Subnets:

   • Consider moving the SageMaker notebook instances to private subnets within the VPC to restrict external connectivity.
10. 5.

    Monitor Network Traffic:

    • Set up VPC flow logs and CloudWatch logs to monitor network traffic for any unauthorized attempts to access the internet.