🛡️ AWS SageMaker Notebook Instance Root Access is not disabled🟢

Contextual name: 🛡️ Notebook Instance Root Access is not disabled🟢
ID: /ce/ca/aws/sagemaker/disable-notebook-instance-root-access
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS SageMaker Notebook Instance
- 🔌 AWS SageMaker Notebook Instance - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [SageMaker.3] Users should not have root access to SageMaker notebook instances

Description

Description

This policy identifies AWS SageMaker Notebook Instances that have Root Access enabled. When root access is enabled, notebook users are granted administrative privileges, allowing unrestricted access to the underlying operating system and file system.

Rationale

By default, SageMaker notebook instances allow root access. While this can be convenient, it introduces increased security risk for the following reasons:

Users can install unauthorized software or modify system-level configurations.

If a notebook user’s credentials or session are compromised, an attacker could gain full administrative control over the instance.

Root access can be used to bypass security controls or interfere with monitoring and logging mechanisms.

Disabling root access enforces the principle of least privilege, ensuring users have only the permissions required to perform their data science tasks.

Impact

When root access is disabled, users cannot execute commands that require sudo. This may limit the ability to install system-level packages interactively. To address this, it is recommended to use Lifecycle Configurations to perform approved system setup and package installations in a controlled manner.

... see more

Remediation

Open File

Remediation

Disable Root Access for SageMaker Notebook Instances

To remediate this finding, disable Root Access on the affected AWS SageMaker Notebook Instance. AWS requires the notebook instance to be stopped before modifying the root access configuration.

From Command Line
Stop the Notebook Instance
aws sagemaker stop-notebook-instance \
    --notebook-instance-name {{notebook-instance-name}}
Disable Root Access
aws sagemaker update-notebook-instance \
    --notebook-instance-name {{notebook-instance-name}} \
    --root-access Disabled
Restart the Notebook Instance
aws sagemaker start-notebook-instance \
    --notebook-instance-name {{notebook-instance-name}}
Notes

Disabling root access enforces the principle of least privilege and reduces the risk of unauthorized system-level changes.

If system-level packages or configurations are required, use Lifecycle Configurations to perform approved setup tasks in a controlled and auditable manner.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.3] Users should not have root access to SageMaker AI notebook instances			1	no data
💼 Cloudaware Framework → 💼 Secure Access			70	no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			25	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	74	no data
💼 FedRAMP High Security Controls → 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)		1	6	no data
💼 FedRAMP High Security Controls → 💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)		1	5	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			25	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		74	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)			6	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)			5	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			131	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	25	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			29	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			20	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	67	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions		4	6	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions			4	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

Disable Root Access for SageMaker Notebook Instances​

From Command Line​

Notes​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Impact

Remediation

Remediation

Disable Root Access for SageMaker Notebook Instances

From Command Line

Notes

policy.yaml

Linked Framework Sections