💼 [SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access

Contextual name: 💼 [SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access
ID: /frameworks/aws-fsbp-v1.0.0/sagemaker/01
Located in: 💼 SageMaker

Description

If you configure your SageMaker AI instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable—Access the internet through a VPC. To train or host models from a notebook, you need internet access. To enable internet access, your VPC must have either an interface endpoint (AWS PrivateLink) or a NAT gateway and a security group that allows outbound connections.

Similar

AWS Security Hub
- https://docs.aws.amazon.com/securityhub/latest/userguide/sagemaker-controls.html#sagemaker-1
Internal
- ID: dec-c-37e9b15e

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	4	17
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			7
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	61	73
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		35	39
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	21	26
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		2
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	5	33
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			2
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			17
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			7
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			15
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			16
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			2
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			16
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	14
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		7	8
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			8
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			4
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			3
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			3

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Description​

Similar​

Similar Sections (Give Policies To)​

Sub Sections​

Description

Similar

Similar Sections (Give Policies To)

Sub Sections