SageMaker Notebook Not Placed In VPC
- Query id: 9c7028d9-04c2-45be-b8b2-1188ccaefb36
- Query name: SageMaker Notebook Not Placed In VPC
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
SageMaker Notebook must be placed in a VPC
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "NotebookInstance"
Resources:
NotebookInstance:
Type: "AWS::SageMaker::NotebookInstance"
DependsOn: [ MountTarget1, MountTarget2, MountTarget3, VpcS3Endpoint ]
Properties:
NotebookInstanceName: !Ref NotebookInstanceName
InstanceType: !Ref NotebookInstanceType
RoleArn: !GetAtt ExecutionRole.Arn
RootAccess: Enabled
SecurityGroupIds:
- !GetAtt VpcSecurityGroup.GroupId
DirectInternetAccess: Disabled
AdditionalCodeRepositories: !If
- CreateCodeRepo
- [!GetAtt CodeRepo.CodeRepositoryName]
- !Ref 'AWS::NoValue'
LifecycleConfigName: !GetAtt NotebookStartConfig.NotebookInstanceLifecycleConfigName
VolumeSizeInGB: !Ref EbsVolumeSize
Tags:
- Key: Name
Value: !Ref 'AWS::StackName'
Vpc:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Ref VpcCIDR
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: Name
Value: !Ref 'AWS::StackName'
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "NotebookInstance",
"Resources": {
"Vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "VpcCIDR",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"Tags": [
{
"Key": "Name",
"Value": "AWS::StackName"
}
]
}
},
"NotebookInstance": {
"Type": "AWS::SageMaker::NotebookInstance",
"DependsOn": [
"MountTarget1",
"MountTarget2",
"MountTarget3",
"VpcS3Endpoint"
],
"Properties": {
"VolumeSizeInGB": "EbsVolumeSize",
"Tags": [
{
"Key": "Name",
"Value": "AWS::StackName"
}
],
"NotebookInstanceName": "NotebookInstanceName",
"SecurityGroupIds": [
"VpcSecurityGroup.GroupId"
],
"DirectInternetAccess": "Disabled",
"AdditionalCodeRepositories": [
"CreateCodeRepo",
[
"CodeRepo.CodeRepositoryName"
],
"AWS::NoValue"
],
"LifecycleConfigName": "NotebookStartConfig.NotebookInstanceLifecycleConfigName",
"InstanceType": "NotebookInstanceType",
"RoleArn": "ExecutionRole.Arn",
"RootAccess": "Enabled"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "NotebookInstance"
Resources:
NotebookInstance:
Type: "AWS::SageMaker::NotebookInstance"
DependsOn: [ MountTarget1, MountTarget2, MountTarget3, VpcS3Endpoint ]
Properties:
NotebookInstanceName: !Ref NotebookInstanceName
InstanceType: !Ref NotebookInstanceType
RoleArn: !GetAtt ExecutionRole.Arn
RootAccess: Enabled
SecurityGroupIds:
- !GetAtt VpcSecurityGroup.GroupId
SubnetId: !Ref PrivateSubnet1
DirectInternetAccess: Disabled
AdditionalCodeRepositories: !If
- CreateCodeRepo
- [!GetAtt CodeRepo.CodeRepositoryName]
- !Ref 'AWS::NoValue'
LifecycleConfigName: !GetAtt NotebookStartConfig.NotebookInstanceLifecycleConfigName
VolumeSizeInGB: !Ref EbsVolumeSize
Tags:
- Key: Name
Value: !Ref 'AWS::StackName'
Vpc:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Ref VpcCIDR
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: Name
Value: !Ref 'AWS::StackName'
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "NotebookInstance",
"Resources": {
"NotebookInstance": {
"Type": "AWS::SageMaker::NotebookInstance",
"DependsOn": [
"MountTarget1",
"MountTarget2",
"MountTarget3",
"VpcS3Endpoint"
],
"Properties": {
"InstanceType": "NotebookInstanceType",
"RoleArn": "ExecutionRole.Arn",
"SecurityGroupIds": [
"VpcSecurityGroup.GroupId"
],
"AdditionalCodeRepositories": [
"CreateCodeRepo",
[
"CodeRepo.CodeRepositoryName"
],
"AWS::NoValue"
],
"VolumeSizeInGB": "EbsVolumeSize",
"Tags": [
{
"Key": "Name",
"Value": "AWS::StackName"
}
],
"NotebookInstanceName": "NotebookInstanceName",
"SubnetId": "PrivateSubnet1",
"DirectInternetAccess": "Disabled",
"LifecycleConfigName": "NotebookStartConfig.NotebookInstanceLifecycleConfigName",
"RootAccess": "Enabled"
}
},
"Vpc": {
"Properties": {
"CidrBlock": "VpcCIDR",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"Tags": [
{
"Key": "Name",
"Value": "AWS::StackName"
}
]
},
"Type": "AWS::EC2::VPC"
}
}
}