SageMaker Notebook Not Placed In VPC

  • Query id: 9c7028d9-04c2-45be-b8b2-1188ccaefb36
  • Query name: SageMaker Notebook Not Placed In VPC
  • Platform: CloudFormation
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

SageMaker Notebook must be placed in a VPC
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "NotebookInstance"
Resources:
  NotebookInstance:
    Type: "AWS::SageMaker::NotebookInstance"
    DependsOn: [ MountTarget1, MountTarget2, MountTarget3, VpcS3Endpoint ]
    Properties:
      NotebookInstanceName: !Ref NotebookInstanceName
      InstanceType: !Ref NotebookInstanceType
      RoleArn: !GetAtt ExecutionRole.Arn
      RootAccess: Enabled
      SecurityGroupIds:
        - !GetAtt VpcSecurityGroup.GroupId
      DirectInternetAccess: Disabled
      AdditionalCodeRepositories: !If
        - CreateCodeRepo
        - [!GetAtt CodeRepo.CodeRepositoryName]
        - !Ref 'AWS::NoValue'
      LifecycleConfigName: !GetAtt NotebookStartConfig.NotebookInstanceLifecycleConfigName
      VolumeSizeInGB: !Ref EbsVolumeSize
      Tags:
        - Key: Name
          Value: !Ref 'AWS::StackName'
  Vpc:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: !Ref VpcCIDR
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
        - Key: Name
          Value: !Ref 'AWS::StackName'
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "NotebookInstance",
  "Resources": {
    "Vpc": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "VpcCIDR",
        "EnableDnsSupport": "true",
        "EnableDnsHostnames": "true",
        "Tags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          }
        ]
      }
    },
    "NotebookInstance": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "DependsOn": [
        "MountTarget1",
        "MountTarget2",
        "MountTarget3",
        "VpcS3Endpoint"
      ],
      "Properties": {
        "VolumeSizeInGB": "EbsVolumeSize",
        "Tags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          }
        ],
        "NotebookInstanceName": "NotebookInstanceName",
        "SecurityGroupIds": [
          "VpcSecurityGroup.GroupId"
        ],
        "DirectInternetAccess": "Disabled",
        "AdditionalCodeRepositories": [
          "CreateCodeRepo",
          [
            "CodeRepo.CodeRepositoryName"
          ],
          "AWS::NoValue"
        ],
        "LifecycleConfigName": "NotebookStartConfig.NotebookInstanceLifecycleConfigName",
        "InstanceType": "NotebookInstanceType",
        "RoleArn": "ExecutionRole.Arn",
        "RootAccess": "Enabled"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "NotebookInstance"
Resources:
  NotebookInstance:
    Type: "AWS::SageMaker::NotebookInstance"
    DependsOn: [ MountTarget1, MountTarget2, MountTarget3, VpcS3Endpoint ]
    Properties:
      NotebookInstanceName: !Ref NotebookInstanceName
      InstanceType: !Ref NotebookInstanceType
      RoleArn: !GetAtt ExecutionRole.Arn
      RootAccess: Enabled
      SecurityGroupIds:
        - !GetAtt VpcSecurityGroup.GroupId
      SubnetId: !Ref PrivateSubnet1
      DirectInternetAccess: Disabled
      AdditionalCodeRepositories: !If
        - CreateCodeRepo
        - [!GetAtt CodeRepo.CodeRepositoryName]
        - !Ref 'AWS::NoValue'
      LifecycleConfigName: !GetAtt NotebookStartConfig.NotebookInstanceLifecycleConfigName
      VolumeSizeInGB: !Ref EbsVolumeSize
      Tags:
        - Key: Name
          Value: !Ref 'AWS::StackName'
  Vpc:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: !Ref VpcCIDR
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
        - Key: Name
          Value: !Ref 'AWS::StackName'
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "NotebookInstance",
  "Resources": {
    "NotebookInstance": {
      "Type": "AWS::SageMaker::NotebookInstance",
      "DependsOn": [
        "MountTarget1",
        "MountTarget2",
        "MountTarget3",
        "VpcS3Endpoint"
      ],
      "Properties": {
        "InstanceType": "NotebookInstanceType",
        "RoleArn": "ExecutionRole.Arn",
        "SecurityGroupIds": [
          "VpcSecurityGroup.GroupId"
        ],
        "AdditionalCodeRepositories": [
          "CreateCodeRepo",
          [
            "CodeRepo.CodeRepositoryName"
          ],
          "AWS::NoValue"
        ],
        "VolumeSizeInGB": "EbsVolumeSize",
        "Tags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          }
        ],
        "NotebookInstanceName": "NotebookInstanceName",
        "SubnetId": "PrivateSubnet1",
        "DirectInternetAccess": "Disabled",
        "LifecycleConfigName": "NotebookStartConfig.NotebookInstanceLifecycleConfigName",
        "RootAccess": "Enabled"
      }
    },
    "Vpc": {
      "Properties": {
        "CidrBlock": "VpcCIDR",
        "EnableDnsSupport": "true",
        "EnableDnsHostnames": "true",
        "Tags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          }
        ]
      },
      "Type": "AWS::EC2::VPC"
    }
  }
}