SageMaker Enabling Internet Access

  • Query id: 88d55d94-315d-4564-beee-d2d725feab11
  • Query name: SageMaker Enabling Internet Access
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

SageMaker must have disabled internet access and root access for Creating Notebook Instances.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Internet access and root access for Creating Notebook Instances"
Resources:
  Notebook:
    Type: AWS::SageMaker::NotebookInstance
    Properties:
      DirectInternetAccess: "Enabled"
      InstanceType: "ml.c4.2xlarge"
      RoleArn: "role"
Positive test num. 2 - json file
{
  "Resources": {
    "Notebook": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "Properties": {
        "InstanceType": "ml.c4.2xlarge",
        "RoleArn": "role",
        "DirectInternetAccess": "Enabled"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Internet access and root access for Creating Notebook Instances"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Internet access and root access for Creating Notebook Instances"
Resources:
  Notebook:
    Type: AWS::SageMaker::NotebookInstance
    Properties:
      DirectInternetAccess: "Disabled"
      InstanceType: "ml.c4.2xlarge"
      RoleArn: "role"
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Internet access and root access for Creating Notebook Instances",
  "Resources": {
    "Notebook": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "Properties": {
        "DirectInternetAccess": "Disabled",
        "InstanceType": "ml.c4.2xlarge",
        "RoleArn": "role"
      }
    }
  }
}