Infrastructure Security in Amazon SageMaker
As a managed service, Amazon SageMaker is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see AWS Cloud Security
You use AWS published API calls to access Amazon SageMaker through the network. Clients must support the following:
-
Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
-
Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary security credentials to sign requests.
Topics
SageMaker Scans AWS Marketplace Training and Inference Containers for Security Vulnerabilities
To meet our security requirements, all the pre-built SageMaker images, including AWS Deep Learning Containers, the SageMaker
machine learning framework containers, and the SageMaker built-in algorithm containers, and algorithms and
model packages listed in AWS Marketplace are scanned for Common Vulnerabilities and Exposures
(CVE). CVE is a list of publicly known information about security vulnerability and
exposure. The National Vulnerability Database (NVD) provides CVE details such as
severity, impact rating, and fix information. Both CVE and NVD are available for public
consumption and free for security tools and services to use. For more information, see
CVE Frequently Asked Questions (FAQs)