SageMaker models should have network isolation enabled
Description
This control checks whether an Amazon SageMaker AI hosted model has network isolation enabled. The control fails if the EnableNetworkIsolation parameter for the hosted model is set to False. SageMaker AI training and deployed inference containers are internet-enabled by default. If you don't want SageMaker AI to provide external network access to your training or inference containers, you can enable network isolation. If you enable network isolation, no inbound or outbound network calls can be made to or from the model container, including calls to or from other AWS services. Additionally, no AWS credentials are made available to the container runtime environment. Enabling network isolation helps prevent unintended access to your SageMaker AI resources from the internet.
Remediation
Enable network isolation for SageMaker models to restrict network access and prevent unintended exposure.
Steps
- Open the Amazon SageMaker console.
- Navigate to 'Models' in the left navigation pane.
- Select the model that needs remediation.
- Click on 'Edit' or 'Update'.
- Under 'Network isolation', enable 'Enable network isolation'.
- Save the model configuration.