Sagemaker Notebook Instance Should Not Have Root Access Enabled

More Info:

Ensure Sagemaker notebook instance does not have root access enabled

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Using Console

Using CLI

To disable root access for a SageMaker notebook instance using the AWS CLI, you need to update the RootAccess parameter.Identify and Update Notebook Instances:

# List all notebook instances
aws sagemaker list-notebook-instances

# Describe a specific notebook instance to check its root access setting
aws sagemaker describe-notebook-instance --notebook-instance-name <YourNotebookInstanceName>

# Update the notebook instance to disable root access
aws sagemaker update-notebook-instance \
    --notebook-instance-name <YourNotebookInstanceName> \
    --root-access Disabled

# Restart the notebook instance to apply changes
aws sagemaker stop-notebook-instance --notebook-instance-name <YourNotebookInstanceName>
aws sagemaker start-notebook-instance --notebook-instance-name <YourNotebookInstanceName>

Using Python

To disable root access for SageMaker notebook instances using a Python script, you’ll need the boto3 library:

Install boto3 (if not already installed):

pip install boto3

Script to Identify and Update Notebook Instances:

import boto3

sagemaker = boto3.client('sagemaker')

def list_notebook_instances():
    response = sagemaker.list_notebook_instances()
    return response['NotebookInstances']

def describe_notebook_instance(notebook_instance_name):
    response = sagemaker.describe_notebook_instance(
        NotebookInstanceName=notebook_instance_name
    )
    return response

def update_notebook_instance(notebook_instance_name):
    response = sagemaker.update_notebook_instance(
        NotebookInstanceName=notebook_instance_name,
        RootAccess='Disabled'
    )
    print(response)

def restart_notebook_instance(notebook_instance_name):
    sagemaker.stop_notebook_instance(NotebookInstanceName=notebook_instance_name)
    waiter = sagemaker.get_waiter('notebook_instance_stopped')
    waiter.wait(NotebookInstanceName=notebook_instance_name)
    sagemaker.start_notebook_instance(NotebookInstanceName=notebook_instance_name)

# Identify and update notebook instances with root access enabled
notebook_instances = list_notebook_instances()
for instance in notebook_instances:
    instance_name = instance['NotebookInstanceName']
    details = describe_notebook_instance(instance_name)
    if details.get('RootAccess', '').lower() == 'enabled':
        print(f"Disabling root access for notebook instance: {instance_name}")
        update_notebook_instance(instance_name)
        restart_notebook_instance(instance_name)

This script will list all notebook instances, describe each one to check its root access setting, and then disable root access for those with it enabled. Finally, it will restart the modified instances to apply the changes.Replace placeholders (<YourNotebookInstanceName>) with appropriate values.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Sagemaker Notebook Instance Should Not Have Root Access Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation