Governance and control
Guardrails
Large enterprises with strict security and compliance requirements need to set up
guardrails for operating the ML environments. IAM policies can be used for enforcing
guardrails, such as requiring proper resource tagging or limiting type of resources used, for
different users and roles. For enterprise scale guardrail management, consider AWS Organizations
Managing guardrails with AWS Organizations and Service Control Policies
Enforcing encryption
-
Enforcing notebook encryption — SageMaker Notebook Instance EBS volume encryption can be enforced using the
sagemaker:VolumeKmsKeycondition key.{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerNoteBookEnforceEncryption", "Effect": "Deny", "Action": [ "sagemaker:CreateNotebookInstance", "sagemaker:UpdateNotebookInstance" ], "Resource": "*", "Condition": { "Null": { "sagemaker:VolumeKmsKey": "true" } } } ] } -
Enforcing Studio Notebook EFS encryption — The EFS storage encryption can be enforced using the
sagemaker:VolumeKmsKeycondition key.{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerStudioEnforceEncryption", "Effect": "Deny", "Action": [ "sagemaker:CreateDomain" ], "Resource": "*", "Condition": { "Null": { "sagemaker:VolumeKmsKey": "true" } } } ] } -
Enforcing job encryption — Similarly, encryption for the SageMaker training job, processing job, transform job, and hyperparameter tuning job can be enforced using the
sagemaker:VolumeKmsKeycondition key.{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerJobEnforceEncryption", "Effect": "Deny", "Action": [ "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateProcessingJob", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob" ], "Resource": "*", "Condition": { "Null": { "sagemaker:VolumeKmsKey": "true" } } } ] } -
Enforcing inter-container traffic encryption — For extremely sensitive distributed model training job and tuning job, the
sagemaker:InterContainerTrafficEncryptioncondition key can be used to encrypt inter-container traffic.Note
The training speed will be negatively impacted when this is enabled.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerEnforceInterContainerTrafficEncryption", "Effect": "Deny", "Action": [ "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateTrainingJob" ], "Resource": "*", "Condition": { "Bool": { "sagemaker:InterContainerTrafficEncryption": "false" } } } ] }
Controlling data egress
-
Enforcing deployment in VPC — To route traffic from SageMaker to access resources in a VPC,
sagemaker:VpcSubnetsandsagemaker:VpcSecurityGroupIdscan be used to configure VPC and security group to manage the traffic.{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerEnforceVPCDeployment", "Effect": "Deny", "Action": [ "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateModel", "sagemaker:CreateNotebookInstance", "sagemaker:CreateProcessingJob", "sagemaker:CreateTrainingJob" ], "Resource": "*", "Condition": { "Null": { "sagemaker:VpcSubnets": "true", "sagemaker:VpcSecurityGroupIds": "true" } } } ] } -
Enforcing Network Isolation — Networking traffic can be blocked for the algorithm container using the
sagemaker:NetworkIsolationcondition key.{ "Version": "2012-10-17", "Statement": [ { "Sid": "NetworkIsolation", "Effect": "Deny", "Action": [ "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateTrainingJob" ], "Resource": "*", "Condition": { "Bool": { "sagemaker:NetworkIsolation": "false" } } } ] } -
Restricting access to SageMaker API and runtime by IP address — You can restrict the IP address ranges for invoking different SageMaker APIs by using the
aws:SourceIpcondition key.{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerRestrictToIp", "Effect": "Deny", "Action": [ "sagemaker:CreateTrainingJob", "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob" ], "Resource": "*", "Condition": { "ForAllValues:NotIpAddress": { "aws:SourceIp": ["<public IP address>"] } } } ] } -
Restricting Studio and notebook pre-signed URLs to IPs — Launching SageMaker Studio or SageMaker Notebook instance can be restricted by the
aws:SourceIp.{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerStudioRestrictToIp", "Effect": "Deny", "Action": [ "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:CreatePresignedDomainUrl" ], "Resource": "*", "Condition": { "ForAllValues:NotIpAddress": { "aws:SourceIp": ["<public IP address>"] } } } ] }
Disabling internet access
-
Disabling SageMaker Notebook internet access — If you want to disable internet access when the notebook is created, you can use
sagemaker:DirectInternetAccessto achieve this.{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerPreventDirectInternet", "Effect": "Deny", "Action": "sagemaker:CreateNotebookInstance", "Resource": "*", "Condition": { "StringEquals": { "sagemaker:DirectInternetAccess": [ "Enabled" ] } } } ] } -
Disabling Studio Domain internet access — For SageMaker Studio, the following condition key may be used to disable internet access from the Studio domain:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerPreventDirectInternetforStudio", "Effect": "Deny", "Action": "sagemaker:CreateDomain", "Resource": "*", "Condition": { "StringEquals": { "sagemaker:AppNetworkAccessType": [ "PublicInternetOnly" ] } } } ] }
Preventing privilege escalation
-
Disabling SageMaker Notebook root access — AWS recommends disabling the root access to SageMaker Notebooks for the data scientists and ML engineers. The following policy prevents a user from launching a SageMaker Notebook if
RootAccessis not disabled.{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerDenyRootAccess", "Effect": "Deny", "Action": [ "sagemaker:CreateNotebookInstance", "sagemaker:UpdateNotebookInstance" ], "Resource": "*", "Condition": { "StringEquals": { "sagemaker:RootAccess": [ "Enabled" ] } } } ] }
Enforcing tags
-
Requiring tag for API call in dev environment - the following policy requires a “dev” environment tag to be attached to the SageMaker endpoint.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerRequireEnvTag", "Effect": "Deny", "Action": "sagemaker:CreateEndpoint", "Resource": "arn:aws:sagemaker:*:*:endpoint/*", "Condition": { "StringNotEquals": { "aws:RequestTag/environment": "dev" } } } ] } -
Requiring tag for Studio domains in data science accounts - To ensure that administrators appropriately tag Studio domains, kernels, and notebooks on creation, you can use the following policy. For example, for developers in data science accounts inside an OU, a Studio created in these accounts should be tagged as follows.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireAppTag", "Effect": "Deny", "Action": [ "sagemaker:CreateDomain", ], "Resource": "*", "Condition": { "StringNotLike": { "aws:RequestTag/Project": "data_science" } } } ] }
Controlling cost
-
Enforcing instance type for a SageMaker Notebook instance — The following policy ensures that only the listed instances types can be used to create a notebook instance.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerLimitInstanceTypes", "Effect": "Deny", "Action": "sagemaker:CreateNotebookInstance", "Resource": "*", "Condition": { "ForAnyValue:StringNotLike": { "sagemaker:InstanceTypes": [ "ml.c5.xlarge", "ml.m5.xlarge", "ml.t3.medium" ] } } } ] } -
Enforcing instance type for Studio Notebook instance — The following policy helps enforce the type of instances used for SageMaker Studio notebook.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SageMakerAllowedInstanceTypes", "Effect": "Deny", "Action": [ "sagemaker:CreateApp" ], "Resource": "*", "Condition": { "ForAnyValue:StringNotLike": { "sagemaker:InstanceTypes": [ "ml.c5.large", "ml.m5.large", "ml.t3.medium" ] } } } ] }
