Sagemaker Notebook Instance Should Not Have Root Access Enabled
AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Sagemaker Notebook Instance Should Not Have Root Access Enabled
More Info:
Ensure Sagemaker notebook instance does not have root access enabled
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
-
Log in to the AWS Management Console:
- Open the AWS Management Console and navigate to the SageMaker service.
-
Identify Notebook Instances with Root Access Enabled:
- Go to the “Notebook instances” section.
- Check each notebook instance for the “Root access” setting. Instances with root access enabled will have it specified in their details.
-
Disable Root Access:
- Select the notebook instance you want to modify.
- Click “Edit.”
- In the “Notebook instance settings,” find the “Root access” setting and change it to “Disabled.”
- Save the changes and restart the notebook instance for the changes to take effect.
To disable root access for a SageMaker notebook instance using the AWS CLI, you need to update the RootAccess parameter.
Identify and Update Notebook Instances:
# List all notebook instances
aws sagemaker list-notebook-instances
# Describe a specific notebook instance to check its root access setting
aws sagemaker describe-notebook-instance --notebook-instance-name <YourNotebookInstanceName>
# Update the notebook instance to disable root access
aws sagemaker update-notebook-instance \
--notebook-instance-name <YourNotebookInstanceName> \
--root-access Disabled
# Restart the notebook instance to apply changes
aws sagemaker stop-notebook-instance --notebook-instance-name <YourNotebookInstanceName>
aws sagemaker start-notebook-instance --notebook-instance-name <YourNotebookInstanceName>
To disable root access for SageMaker notebook instances using a Python script, you’ll need the boto3 library:
- Install
boto3(if not already installed):
pip install boto3
- Script to Identify and Update Notebook Instances:
import boto3
sagemaker = boto3.client('sagemaker')
def list_notebook_instances():
response = sagemaker.list_notebook_instances()
return response['NotebookInstances']
def describe_notebook_instance(notebook_instance_name):
response = sagemaker.describe_notebook_instance(
NotebookInstanceName=notebook_instance_name
)
return response
def update_notebook_instance(notebook_instance_name):
response = sagemaker.update_notebook_instance(
NotebookInstanceName=notebook_instance_name,
RootAccess='Disabled'
)
print(response)
def restart_notebook_instance(notebook_instance_name):
sagemaker.stop_notebook_instance(NotebookInstanceName=notebook_instance_name)
waiter = sagemaker.get_waiter('notebook_instance_stopped')
waiter.wait(NotebookInstanceName=notebook_instance_name)
sagemaker.start_notebook_instance(NotebookInstanceName=notebook_instance_name)
# Identify and update notebook instances with root access enabled
notebook_instances = list_notebook_instances()
for instance in notebook_instances:
instance_name = instance['NotebookInstanceName']
details = describe_notebook_instance(instance_name)
if details.get('RootAccess', '').lower() == 'enabled':
print(f"Disabling root access for notebook instance: {instance_name}")
update_notebook_instance(instance_name)
restart_notebook_instance(instance_name)
This script will list all notebook instances, describe each one to check its root access setting, and then disable root access for those with it enabled. Finally, it will restart the modified instances to apply the changes.
Replace placeholders (<YourNotebookInstanceName>) with appropriate values.