Skip to main content

SageMaker Models VPC Settings Configured

Overview

This check verifies that Amazon SageMaker models have VPC (Virtual Private Cloud) settings enabled. When VPC settings are configured, inference containers communicate through your selected VPC rather than traversing public internet paths.

VPC configuration ensures that your model's network traffic stays within your private network, providing an additional layer of security for sensitive machine learning workloads.

Risk

Without VPC isolation, your SageMaker model traffic faces several security risks:

  • Data exposure: Model traffic and inference data can traverse public routes, potentially allowing interception
  • Unauthorized access: Missing security groups and private endpoints weaken access controls
  • Data exfiltration: Compromised containers could potentially exfiltrate data or establish unauthorized command-and-control communications
  • Compliance violations: Many regulatory frameworks require network isolation for sensitive data processing

Remediation Steps

Prerequisites

  • Access to the AWS Console with permissions to manage SageMaker models
  • A VPC with at least one private subnet
  • A security group configured for your model's network requirements

Important: SageMaker models cannot be updated after creation. You must delete and recreate the model with VPC settings enabled.

Required IAM permissions

To perform this remediation, you need the following IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sagemaker:ListModels",
        "sagemaker:DescribeModel",
        "sagemaker:DeleteModel",
        "sagemaker:CreateModel"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::*:role/*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "sagemaker.amazonaws.com"
        }
      }
    }
  ]
}

AWS Console Method

  1. Document the existing model configuration

    • Open the Amazon SageMaker console
    • In the left navigation, choose Inference > Models
    • Select the model that needs VPC configuration
    • Note down all current settings:
      • Container image URI
      • Model artifacts location (S3 path)
      • Execution role ARN
      • Any environment variables

  2. Delete the existing model

    • With the model selected, choose Actions > Delete
    • Confirm the deletion
    • Note: This will not affect any endpoints using this model until they are updated

  3. Create a new model with VPC settings

    • Choose Create model
    • Enter the same Model name (or a new name if preferred)
    • Configure the Container input options with the same settings you documented
    • Under Network, expand the VPC section
    • Select your VPC
    • Choose at least one Subnet (use private subnets for best security)
    • Select one or more Security groups
    • Complete the remaining configuration and choose Create model

  4. Update any dependent resources

    • If endpoints use this model, update them to use the new model
AWS CLI (optional)

List existing models

aws sagemaker list-models \
    --region us-east-1 \
    --output table

Describe the model to capture its configuration

aws sagemaker describe-model \
    --model-name <your-model-name> \
    --region us-east-1

Save the output to reference when recreating the model.

Delete the existing model

aws sagemaker delete-model \
    --model-name <your-model-name> \
    --region us-east-1

Create a new model with VPC configuration

aws sagemaker create-model \
    --model-name <your-model-name> \
    --execution-role-arn arn:aws:iam::<account-id>:role/<sagemaker-execution-role> \
    --primary-container '{
        "Image": "<account-id>.dkr.ecr.us-east-1.amazonaws.com/<repository>:<tag>",
        "ModelDataUrl": "s3://<bucket-name>/model/model.tar.gz"
    }' \
    --vpc-config '{
        "Subnets": ["subnet-xxxxxxxx", "subnet-yyyyyyyy"],
        "SecurityGroupIds": ["sg-xxxxxxxx"]
    }' \
    --region us-east-1

Replace the placeholders:

  • <your-model-name>: Name for your SageMaker model
  • <account-id>: Your AWS account ID
  • <sagemaker-execution-role>: IAM role for SageMaker execution
  • <repository>:<tag>: Your ECR repository and image tag
  • <bucket-name>: S3 bucket containing model artifacts
  • subnet-xxxxxxxx, subnet-yyyyyyyy: Your private subnet IDs
  • sg-xxxxxxxx: Your security group ID

Optional: Enable network isolation

For additional security, you can enable network isolation which prevents the container from making outbound network calls:

aws sagemaker create-model \
    --model-name <your-model-name> \
    --execution-role-arn arn:aws:iam::<account-id>:role/<sagemaker-execution-role> \
    --primary-container '{
        "Image": "<account-id>.dkr.ecr.us-east-1.amazonaws.com/<repository>:<tag>",
        "ModelDataUrl": "s3://<bucket-name>/model/model.tar.gz"
    }' \
    --vpc-config '{
        "Subnets": ["subnet-xxxxxxxx", "subnet-yyyyyyyy"],
        "SecurityGroupIds": ["sg-xxxxxxxx"]
    }' \
    --enable-network-isolation \
    --region us-east-1
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: SageMaker Model with VPC configuration for network isolation

Parameters:
  ModelName:
    Type: String
    Description: Name for the SageMaker model
    AllowedPattern: ^[a-zA-Z0-9]([\\-a-zA-Z0-9]*[a-zA-Z0-9])?$
    MaxLength: 63

  ContainerImage:
    Type: String
    Description: ECR image URI for the model container

  ModelDataUrl:
    Type: String
    Description: S3 URI for model artifacts (optional)
    Default: ''

  ExecutionRoleArn:
    Type: String
    Description: IAM role ARN for SageMaker execution

  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Private subnet IDs for the model

  SecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: Security group IDs for the model

Conditions:
  HasModelData: !Not [!Equals [!Ref ModelDataUrl, '']]

Resources:
  SageMakerModel:
    Type: AWS::SageMaker::Model
    Properties:
      ModelName: !Ref ModelName
      ExecutionRoleArn: !Ref ExecutionRoleArn
      PrimaryContainer:
        Image: !Ref ContainerImage
        ModelDataUrl: !If [HasModelData, !Ref ModelDataUrl, !Ref 'AWS::NoValue']
      VpcConfig:
        Subnets: !Ref SubnetIds
        SecurityGroupIds: !Ref SecurityGroupIds

Outputs:
  ModelName:
    Description: Name of the created SageMaker model
    Value: !Ref SageMakerModel

Deploy the stack

aws cloudformation create-stack \
    --stack-name sagemaker-model-vpc \
    --template-body file://template.yaml \
    --parameters \
        ParameterKey=ModelName,ParameterValue=<your-model-name> \
        ParameterKey=ContainerImage,ParameterValue=<account-id>.dkr.ecr.us-east-1.amazonaws.com/<repo>:<tag> \
        ParameterKey=ModelDataUrl,ParameterValue=s3://<bucket>/model.tar.gz \
        ParameterKey=ExecutionRoleArn,ParameterValue=arn:aws:iam::<account-id>:role/<role-name> \
        ParameterKey=SubnetIds,ParameterValue='subnet-xxx,subnet-yyy' \
        ParameterKey=SecurityGroupIds,ParameterValue=sg-xxx \
    --region us-east-1
Terraform (optional)
terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

variable "model_name" {
  description = "Name for the SageMaker model"
  type        = string
}

variable "container_image" {
  description = "ECR image URI for the model container"
  type        = string
}

variable "model_data_url" {
  description = "S3 URI for model artifacts (optional)"
  type        = string
  default     = null
}

variable "execution_role_arn" {
  description = "IAM role ARN for SageMaker execution"
  type        = string
}

variable "subnet_ids" {
  description = "List of private subnet IDs for VPC configuration"
  type        = list(string)
}

variable "security_group_ids" {
  description = "List of security group IDs for VPC configuration"
  type        = list(string)
}

variable "enable_network_isolation" {
  description = "Enable network isolation for the model"
  type        = bool
  default     = false
}

variable "tags" {
  description = "Tags to apply to the model"
  type        = map(string)
  default     = {}
}

resource "aws_sagemaker_model" "this" {
  name               = var.model_name
  execution_role_arn = var.execution_role_arn

  primary_container {
    image          = var.container_image
    model_data_url = var.model_data_url
  }

  vpc_config {
    subnets            = var.subnet_ids
    security_group_ids = var.security_group_ids
  }

  enable_network_isolation = var.enable_network_isolation

  tags = var.tags
}

output "model_name" {
  description = "Name of the SageMaker model"
  value       = aws_sagemaker_model.this.name
}

output "model_arn" {
  description = "ARN of the SageMaker model"
  value       = aws_sagemaker_model.this.arn
}

Example terraform.tfvars

model_name         = "my-ml-model"
container_image    = "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest"
model_data_url     = "s3://my-bucket/models/model.tar.gz"
execution_role_arn = "arn:aws:iam::123456789012:role/SageMakerExecutionRole"
subnet_ids         = ["subnet-0123456789abcdef0", "subnet-0123456789abcdef1"]
security_group_ids = ["sg-0123456789abcdef0"]

tags = {
  Environment = "production"
  Project     = "ml-inference"
}

Apply the configuration

terraform init
terraform plan
terraform apply

Verification

After creating the model with VPC settings, verify the configuration:

  1. In the SageMaker console, navigate to Inference > Models
  2. Select your model
  3. In the model details, confirm the VPC section shows your configured VPC, subnets, and security groups
CLI verification
aws sagemaker describe-model \
    --model-name <your-model-name> \
    --region us-east-1 \
    --query 'VpcConfig'

Expected output should show your VPC configuration:

{
    "SecurityGroupIds": ["sg-xxxxxxxx"],
    "Subnets": ["subnet-xxxxxxxx", "subnet-yyyyyyyy"]
}

If the output is null, the model does not have VPC settings configured.

Re-run the Prowler check

prowler aws --checks sagemaker_models_vpc_settings_configured --region us-east-1

Additional Resources

Notes

  • Models cannot be modified: SageMaker models are immutable after creation. To add VPC settings, you must delete and recreate the model.

  • Endpoint impact: Deleting a model does not immediately affect endpoints using it, but you should update endpoints to use the new model.

  • Private subnets recommended: Use private subnets without direct internet access for maximum security. If your model needs to access AWS services, configure VPC endpoints.

  • VPC endpoints: For models that need to access S3 or other AWS services, create VPC endpoints to allow access without traversing the public internet:

    • com.amazonaws.us-east-1.s3 (Gateway endpoint for S3)
    • com.amazonaws.us-east-1.sagemaker.runtime (Interface endpoint for SageMaker runtime)

  • Security group configuration: Configure security groups with the principle of least privilege:

    • Allow only necessary inbound traffic for inference requests
    • Restrict outbound traffic to required destinations (S3, ECR, etc.)

  • Network isolation: Consider enabling --enable-network-isolation for models that do not need to make outbound network calls. This provides additional security but prevents the model from downloading dependencies at runtime.