Compliance Medium severity
AWS Security Hub · SageMaker
SageMaker.5: Models should have network isolation enabled
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub SageMaker.5 check?
SageMaker.5 fails when a model has `EnableNetworkIsolation` set to false. Despite its old title ("models should block inbound traffic"), the check inspects this single boolean on the model, not security groups or VPC rules.
Why does SageMaker.5 matter?
Without network isolation an inference container can reach the internet and AWS APIs at runtime, so a compromised or malicious image can call out, pull payloads or exfiltrate data. Isolation withholds outbound connectivity — and the container's AWS credentials — so even a hostile container has nothing to call with.
How do I fix SageMaker.5?
- Audit models with the CLI and check `EnableNetworkIsolation` to find the ones set to false.
- Because the flag is immutable, recreate each model with isolation enabled — you cannot edit it in place.
- Cut the endpoint over to the new, isolated model via a new endpoint configuration.
- Make `EnableNetworkIsolation=true` the default in your model templates and IaC so the finding does not recur.
Remediation script · bash
# Disable root across every notebook that has it on (mutable on a stopped instance).
for n in $(aws sagemaker list-notebook-instances \
--query 'NotebookInstances[].NotebookInstanceName' --output text); do
root=$(aws sagemaker describe-notebook-instance --notebook-instance-name "$n" \
--query 'RootAccess' --output text)
if [ "$root" = "Enabled" ]; then
aws sagemaker stop-notebook-instance --notebook-instance-name "$n"
aws sagemaker wait notebook-instance-stopped --notebook-instance-name "$n"
aws sagemaker update-notebook-instance --notebook-instance-name "$n" --root-access Disabled
aws sagemaker start-notebook-instance --notebook-instance-name "$n"
echo "$n: root access disabled"
fi
done
# Immutable settings need a rebuild. Recreate a notebook locked down: private subnet,
# no direct internet. (DirectInternetAccess and SubnetId cannot be changed in place.)
aws sagemaker create-notebook-instance \
--notebook-instance-name ml-feature-exploration \
--instance-type ml.t3.medium \
--role-arn arn:aws:iam::111122223333:role/SageMakerExecution \
--subnet-id subnet-0ab12cd34ef56 \
--security-group-ids sg-0aa11bb22cc33 \
--direct-internet-access Disabled \
--root-access DisabledFull walkthrough (console steps, edge cases and verification) in the lesson Harden SageMaker and ML workloads.
Part of the learning path Lock down access
More SageMaker controls
- SageMaker.1 A SageMaker notebook has direct internet access
- SageMaker.2 A SageMaker notebook is not launched in a VPC
- SageMaker.3 Users have root access on a SageMaker notebook
- SageMaker.4 Endpoint variants should have > 1 instance
- SageMaker.8 Notebook instances should run supported platforms
- SageMaker.9 Data quality jobs inter-container encryption
- SageMaker.10 Explainability jobs inter-container encryption
- SageMaker.11 Data quality jobs network isolation
- SageMaker.12 Model bias jobs network isolation
- SageMaker.13 Model quality jobs inter-container encryption
- SageMaker.14 Monitoring schedules network isolation
- SageMaker.15 Model bias jobs inter-container encryption