SageMaker.1: A SageMaker notebook has direct internet access

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub SageMaker.1 check?

SageMaker.1 fails when a notebook instance has `DirectInternetAccess` enabled. A notebook created without an explicit VPC subnet gets this turned on by default so it works out of the box for `pip install` and pulling model artifacts.

Why does SageMaker.1 matter?

A notebook is a Linux box carrying an IAM execution role, often with read access to your data lake. Direct internet access turns it into a clean exfiltration path: anyone who can run code in the notebook can post your training data straight out, bypassing the network controls you own elsewhere.

How do I fix SageMaker.1?

List notebook instances and check the `DirectInternetAccess` value to find the failing ones.
Note that the setting is immutable — there is no in-place fix, so plan a stop, delete and recreate.
Recreate each notebook in a private subnet with `DirectInternetAccess` disabled, reaching the internet via a NAT gateway or PrivateLink endpoints.
Add an SCP or Config rule so new notebooks cannot be created with direct internet access.

Remediation script · bash

# Disable root across every notebook that has it on (mutable on a stopped instance).
for n in $(aws sagemaker list-notebook-instances \
    --query 'NotebookInstances[].NotebookInstanceName' --output text); do
  root=$(aws sagemaker describe-notebook-instance --notebook-instance-name "$n" \
    --query 'RootAccess' --output text)
  if [ "$root" = "Enabled" ]; then
    aws sagemaker stop-notebook-instance --notebook-instance-name "$n"
    aws sagemaker wait notebook-instance-stopped --notebook-instance-name "$n"
    aws sagemaker update-notebook-instance --notebook-instance-name "$n" --root-access Disabled
    aws sagemaker start-notebook-instance --notebook-instance-name "$n"
    echo "$n: root access disabled"
  fi
done

# Immutable settings need a rebuild. Recreate a notebook locked down: private subnet,
# no direct internet. (DirectInternetAccess and SubnetId cannot be changed in place.)
aws sagemaker create-notebook-instance \
  --notebook-instance-name ml-feature-exploration \
  --instance-type ml.t3.medium \
  --role-arn arn:aws:iam::111122223333:role/SageMakerExecution \
  --subnet-id subnet-0ab12cd34ef56 \
  --security-group-ids sg-0aa11bb22cc33 \
  --direct-internet-access Disabled \
  --root-access Disabled

Full walkthrough (console steps, edge cases and verification) in the lesson Harden SageMaker and ML workloads.

Is SageMaker.1 a false positive?

Teams assume a locked-down notebook can no longer reach the internet at all, but NAT gateways or VPC endpoints still let it `pip install` and pull artifacts — it just routes through your network instead of bypassing it.

Full lesson Harden SageMaker and ML workloads Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for SageMaker controls ↗ Check your own account for SageMaker.1 →

Part of the learning path Lock down access

SageMaker.2 A SageMaker notebook is not launched in a VPC
SageMaker.3 Users have root access on a SageMaker notebook
SageMaker.4 Endpoint variants should have > 1 instance
SageMaker.5 Models should have network isolation enabled
SageMaker.8 Notebook instances should run supported platforms
SageMaker.9 Data quality jobs inter-container encryption
SageMaker.10 Explainability jobs inter-container encryption
SageMaker.11 Data quality jobs network isolation
SageMaker.12 Model bias jobs network isolation
SageMaker.13 Model quality jobs inter-container encryption
SageMaker.14 Monitoring schedules network isolation
SageMaker.15 Model bias jobs inter-container encryption