Enable Network Isolation for SageMaker Models

Overview

This check verifies whether Amazon SageMaker models have network isolation enabled. When network isolation is enabled, SageMaker model containers cannot make outbound network calls during hosting and inference operations. This is a critical security control for protecting sensitive data and preventing unauthorized access.

Risk

Without network isolation, SageMaker model containers can freely communicate with external networks. This creates several security risks:

• Data exfiltration: Malicious or compromised containers could send sensitive inference inputs, outputs, or credentials to external servers
• Malware download: Attackers could retrieve untrusted code or payloads from the internet
• Command and control: Compromised containers could establish covert callbacks to attacker-controlled servers
• Lateral movement: Attackers could use the container as a pivot point to access other resources in your network

This is classified as a High severity finding.

Remediation Steps

Prerequisites

You need:

• Access to the AWS Console with permissions to manage SageMaker models
• The model container image URI (available in Amazon ECR or a compatible registry)
• An IAM execution role for SageMaker

Important: Existing models cannot be modified. You must create a new model with network isolation enabled and update any endpoints that use the old model.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sagemaker:CreateModel",
        "sagemaker:DeleteModel",
        "sagemaker:DescribeModel",
        "sagemaker:ListModels",
        "sagemaker:CreateEndpointConfig",
        "sagemaker:UpdateEndpoint",
        "iam:PassRole"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the Amazon SageMaker console
2. In the left navigation, choose Inference > Models
3. Click Create model
4. Enter a Model name (e.g., my-model-isolated)
5. Select or enter the IAM role ARN that SageMaker will use
6. In the Container definition section:
   • Enter the Container image URI
   • Check the box for Enable network isolation
7. Click Create model

If this model is used by an existing endpoint:

1. Go to Inference > Endpoint configurations
2. Create a new endpoint configuration that references your new isolated model
3. Go to Inference > Endpoints
4. Select your endpoint and choose Update endpoint
5. Select the new endpoint configuration
6. Confirm the update

AWS CLI (optional)

Create a Model with Network Isolation

aws sagemaker create-model \
    --model-name my-model-isolated \
    --execution-role-arn arn:aws:iam::<ACCOUNT_ID>:role/<SAGEMAKER_ROLE> \
    --primary-container Image=<ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/<REPO>:<TAG> \
    --enable-network-isolation \
    --region us-east-1

Replace:

• <ACCOUNT_ID> with your AWS account ID
• <SAGEMAKER_ROLE> with your SageMaker execution role name
• <REPO>:<TAG> with your container repository and tag

Verify the Model Configuration

aws sagemaker describe-model \
    --model-name my-model-isolated \
    --region us-east-1 \
    --query 'EnableNetworkIsolation'

This should return true.

List All Models and Check Their Network Isolation Status

# Get all model names
aws sagemaker list-models \
    --region us-east-1 \
    --query 'Models[].ModelName' \
    --output text | tr '\t' '\n' | while read model; do
    status=$(aws sagemaker describe-model \
        --model-name "$model" \
        --region us-east-1 \
        --query 'EnableNetworkIsolation' \
        --output text)
    echo "$model: NetworkIsolation=$status"
done

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: SageMaker Model with Network Isolation Enabled

Parameters:
  ModelName:
    Type: String
    Description: Name of the SageMaker model
    Default: my-isolated-model

  ExecutionRoleArn:
    Type: String
    Description: ARN of the IAM role that SageMaker can assume

  ContainerImage:
    Type: String
    Description: URI of the Docker image containing inference code

Resources:
  SageMakerModel:
    Type: AWS::SageMaker::Model
    Properties:
      ModelName: !Ref ModelName
      ExecutionRoleArn: !Ref ExecutionRoleArn
      EnableNetworkIsolation: true
      PrimaryContainer:
        Image: !Ref ContainerImage

Outputs:
  ModelName:
    Description: Name of the created SageMaker model
    Value: !Ref SageMakerModel

Deploy the stack:

aws cloudformation create-stack \
    --stack-name sagemaker-isolated-model \
    --template-body file://template.yaml \
    --parameters \
        ParameterKey=ModelName,ParameterValue=my-isolated-model \
        ParameterKey=ExecutionRoleArn,ParameterValue=arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME> \
        ParameterKey=ContainerImage,ParameterValue=<ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/<REPO>:<TAG> \
    --region us-east-1

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "model_name" {
  description = "Name of the SageMaker model"
  type        = string
  default     = "my-isolated-model"
}

variable "execution_role_arn" {
  description = "ARN of the IAM role that SageMaker can assume"
  type        = string
}

variable "container_image" {
  description = "URI of the Docker image containing inference code"
  type        = string
}

resource "aws_sagemaker_model" "isolated_model" {
  name               = var.model_name
  execution_role_arn = var.execution_role_arn

  # Enable network isolation to prevent outbound connections
  enable_network_isolation = true

  primary_container {
    image = var.container_image
  }

  tags = {
    NetworkIsolation = "enabled"
  }
}

output "model_arn" {
  description = "ARN of the created SageMaker model"
  value       = aws_sagemaker_model.isolated_model.arn
}

Apply the configuration:

terraform init
terraform apply \
    -var="execution_role_arn=arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>" \
    -var="container_image=<ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/<REPO>:<TAG>"

Verification

After creating your model with network isolation:

1. Go to the SageMaker Models console
2. Click on your model name
3. In the Model settings section, verify that Network isolation shows Enabled

CLI verification

aws sagemaker describe-model \
    --model-name my-isolated-model \
    --region us-east-1 \
    --query 'EnableNetworkIsolation'

Expected output: true

Additional Resources

• Amazon SageMaker Studio Notebooks and Internet Access
• SageMaker CreateModel API Reference
• AWS::SageMaker::Model CloudFormation Resource
• Terraform aws_sagemaker_model Resource

Notes

• Models are immutable: You cannot enable network isolation on an existing model. You must create a new model and migrate any endpoints to use it.

• Endpoint updates cause brief downtime: When updating an endpoint to use a new model, there may be a brief period where the endpoint is updating. Plan accordingly for production workloads.

• Defense in depth: Network isolation is one layer of security. For comprehensive protection, also consider:

  • Deploying endpoints in a private VPC
  • Using security groups to restrict network access
  • Configuring VPC endpoints for AWS services
  • Applying least-privilege IAM policies
  • Monitoring outbound traffic with VPC Flow Logs

• Service traffic is allowed: Even with network isolation enabled, essential service control traffic (such as communication with SageMaker APIs) is permitted. Only user-initiated outbound connections from the container are blocked.