Proactively Enforcing Secure Amazon SageMaker Notebook Deployments with AWS Control Tower

Introduction

When building and experimenting with machine learning components, iteration speed matters, but so does security. Data scientists often tend to launch Amazon SageMaker notebook instances quickly to test ideas, but omit critical configuration details such as restricting internet access. If left unchecked, these defaults can expose sensitive workloads to unnecessary risks. Misconfigured notebooks not only increase the attack surface but can also lead to compliance violations if sensitive data is processed outside of controlled network boundaries. Ensuring secure configurations at the point of deployment helps teams innovate responsibly while maintaining organizational trust and regulatory alignment.

AWS Control Tower proactive controls help organizations ensure security and compliance are built into every deployment, without slowing down innovation. By checking resources before they’re created, proactive controls can block misconfigured deployments from ever reaching production. In this post, we’ll show you how to use AWS Control Tower proactive controls, implemented with AWS CloudFormation hooks, to verify that your SageMaker AI notebook instances are launched without direct internet access: helping you balance agility with governance.

‍

Proactive Controls for SageMaker Security

AWS Control Tower provides multiple types of controls to help you govern your environment, but proactive controls are unique in that they validate resources before they’re deployed. Unlike detective controls, which monitor after the fact, proactive controls prevent misconfigured resources from ever being provisioned. These controls are optional and are implemented using AWS CloudFormation hooks managed by AWS Control Tower. CloudFormation hooks let you embed logic that inspects a resource’s configuration during stack operations to confirm it aligns with your organization’s best practices for security, operations or cost optimization [1]. In practice, proactive controls work through preCreate and preUpdate hook handlers, ensuring that only compliant infrastructure is launched or modified in your accounts [2].

AWS Control Tower supports proactive controls for a wide range of AWS services. Specifically for Amazon SageMaker, AWS Control Tower provides the CT.SAGEMAKER.PR.1 proactive control. This control enforces that the DirectInternetAccess property on a notebook instance is set to Disabled. By default, SageMaker notebooks allow direct internet access when not associated with a VPC, which can create an unmonitored traffic flow outside your secured environment. With this control enabled, any attempt to launch a notebook with direct internet access will fail CloudFormation validation, ensuring that data science work happens inside your controlled network. Once the notebook instance is associated with your VPC, any outbound traffic to the internet, whether for downloading machine learning libraries, retrieving pre-trained models or installing software packages, must flow through your managed network path. This allows you to apply inspection and monitoring using AWS services such as AWS Network Firewall for deep packet inspection [3], Amazon VPC Traffic Mirroring for copying the network traffic and sending it out to monitoring and security appliances [4] and Amazon GuardDuty for continuous threat detection. You can also route outbound traffic through a NAT gateway to centralize internet egress, apply security group and NACL rules for fine-grained filtering and utilise VPC Flow Logs to gain visibility into connections. These capabilities transform SageMaker notebook traffic from uncontrolled internet access into governed, auditable and secure network flows.

According to the AWS Docs, in order to remain compliant with the control, you would need to “associate the notebook instance with a private subnet that has access to the internet, through a default route to a NAT gateway instance. Also, be sure that the security groups assigned to the notebook instance, and the network access control list (NACL) of the private subnet, allow outbound traffic to the internet” [5].

For example, the following CloudFormation resource definition of a SageMaker notebook instance would be compliant with the control and therefore, the stack creation would be successful : 

 SageMakerNoteBookInstance:

    Type: AWS::SageMaker::NotebookInstance

    Properties:

      InstanceType: ml.t2.small

      RoleArn: !GetAtt IAMRole.Arn

      DirectInternetAccess: Disabled

      SubnetId: !ImportValue MLPrivateSubnetID

      SecurityGroupIds: !ImportValue MLSecurityGroupID

‍

However, the following definition would be against the defined rules in the proactive control and would label the stack operation as failed : 

SageMakerNoteBookInstance:

    Type: AWS::SageMaker::NotebookInstance

    Properties:

      InstanceType: ml.t2.small

      RoleArn: !GetAtt IAMRole.Arn

‍

      DirectInternetAccess: Enabled

This approach provides multiple benefits. First, it ensures consistency that every notebook instance across all your AWS accounts must comply with the same baseline security standard. Second, it prevents security violations before they happen, rather than relying solely on detective controls after resources are deployed. Finally, it aligns your machine learning infrastructure with industry frameworks and standards that require strict network isolation for workloads handling sensitive and personally identifiable data.

‍

The following diagram showcases an example architecture of applying deep packet inspection of all outbound traffic to the internet from the notebook instances (through multiple VPCs).

‍

What This Means for You

With proactive controls in AWS Control Tower, you can move faster without compromising security. For data scientists, this means they can continue to spin up notebook instances and focus on experimentation, knowing that the right configurations are enforced automatically. For platform and security teams, this means governance at scale without compromising on security standards and no more chasing down misconfigured notebooks after they’re in use. This is especially critical when training or testing machine learning models on sensitive datasets such as medical records, financial transaction logs or other types of personally identifiable information. In these scenarios, you want to be confident that no accidental data leakage occurs through unsecured internet traffic. By forcing notebook instances into a VPC and routing their outbound traffic through monitored and controlled channels, you gain the ability to inspect, audit and detect unusual behavior. This adds an extra layer of assurance that data remains protected while researchers and engineers continue their work at full speed.

If your organization is pursuing compliance with frameworks like ISO 27001 or SOC 2, controls like CT.SAGEMAKER.PR.1 also help you demonstrate adherence to requirements for restricted network access. Instead of reviewing every notebook instance manually, you can rely on proactive guardrails to enforce these requirements at the point of creation.

‍

What’s Next

SageMaker controls exist across a wide range of AWS services, making it easier to enforce consistent governance policies across your cloud environment. Even for the SageMaker domain - apart from the examined control on disabling direct internet access, there is also a control on disallowing root access to the filesystem of the notebook instances, which prevents unauthorized file notifications [5].

If you want to explore how proactive controls can strengthen your machine learning environment, check out the AWS Control Tower documentation on proactive controls [2] and experiment with the SageMaker examples provided. You can also start by enabling CT.SAGEMAKER.PR.1 in your Control Tower environment and testing it against your existing CloudFormation templates. By combining the flexibility of SageMaker with the governance of Control Tower, you can empower your teams to innovate quickly while staying secure by design.

If you’d like to explore how this pattern can fit into the specific requirements of your environment, let’s talk and create the most optimal solution!
‍

Whether it’s GenAI, CI/CD, or cloud cost chaos - we’ve seen it before. Let’s walk through how we’ve solved it, and see if it fits your world.

‍

References

[1] “What are AWS CloudFormation Hooks?”, AWS Docs, https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/what-is-cloudformation-hooks.html

[2] “Proactive controls”, AWS Docs, https://docs.aws.amazon.com/controltower/latest/controlreference/proactive-controls.html

[3] Shiva Vaidyanathan and Brandon Carroll, “TLS inspection configuration for encrypted traffic and AWS Network Firewall”, AWS Blogs, 04 Apr 2023, 

https://aws.amazon.com/blogs/security/tls-inspection-configuration-for-encrypted-traffic-and-aws-network-firewall/

[4] “What is Traffic Mirroring?”, AWS Docs,

https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html

[5] Amazon SageMaker AI controls, AWS Docs,

https://docs.aws.amazon.com/controltower/latest/controlreference/sagemaker-rules.html

‍