More Info:

Ensure Sagemaker notebook instance does not have root access enabled

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Using Console

  1. Log in to the AWS Management Console:
    • Open the AWS Management Console and navigate to the SageMaker service.
  2. Identify Notebook Instances with Root Access Enabled:
    • Go to the “Notebook instances” section.
    • Check each notebook instance for the “Root access” setting. Instances with root access enabled will have it specified in their details.
  3. Disable Root Access:
    • Select the notebook instance you want to modify.
    • Click “Edit.”
    • In the “Notebook instance settings,” find the “Root access” setting and change it to “Disabled.”
    • Save the changes and restart the notebook instance for the changes to take effect.
To disable root access for a SageMaker notebook instance using the AWS CLI, you need to update the RootAccess parameter.Identify and Update Notebook Instances:
# List all notebook instances
aws sagemaker list-notebook-instances

# Describe a specific notebook instance to check its root access setting
aws sagemaker describe-notebook-instance --notebook-instance-name <YourNotebookInstanceName>

# Update the notebook instance to disable root access
aws sagemaker update-notebook-instance \
    --notebook-instance-name <YourNotebookInstanceName> \
    --root-access Disabled

# Restart the notebook instance to apply changes
aws sagemaker stop-notebook-instance --notebook-instance-name <YourNotebookInstanceName>
aws sagemaker start-notebook-instance --notebook-instance-name <YourNotebookInstanceName>
To disable root access for SageMaker notebook instances using a Python script, you’ll need the boto3 library:
  1. Install boto3 (if not already installed):
pip install boto3
  1. Script to Identify and Update Notebook Instances:
import boto3

sagemaker = boto3.client('sagemaker')

def list_notebook_instances():
    response = sagemaker.list_notebook_instances()
    return response['NotebookInstances']

def describe_notebook_instance(notebook_instance_name):
    response = sagemaker.describe_notebook_instance(
        NotebookInstanceName=notebook_instance_name
    )
    return response

def update_notebook_instance(notebook_instance_name):
    response = sagemaker.update_notebook_instance(
        NotebookInstanceName=notebook_instance_name,
        RootAccess='Disabled'
    )
    print(response)

def restart_notebook_instance(notebook_instance_name):
    sagemaker.stop_notebook_instance(NotebookInstanceName=notebook_instance_name)
    waiter = sagemaker.get_waiter('notebook_instance_stopped')
    waiter.wait(NotebookInstanceName=notebook_instance_name)
    sagemaker.start_notebook_instance(NotebookInstanceName=notebook_instance_name)

# Identify and update notebook instances with root access enabled
notebook_instances = list_notebook_instances()
for instance in notebook_instances:
    instance_name = instance['NotebookInstanceName']
    details = describe_notebook_instance(instance_name)
    if details.get('RootAccess', '').lower() == 'enabled':
        print(f"Disabling root access for notebook instance: {instance_name}")
        update_notebook_instance(instance_name)
        restart_notebook_instance(instance_name)
This script will list all notebook instances, describe each one to check its root access setting, and then disable root access for those with it enabled. Finally, it will restart the modified instances to apply the changes.Replace placeholders (<YourNotebookInstanceName>) with appropriate values.