Skip to main content

SageMaker Notebook Instance Root Access Disabled

Overview

This check verifies that Amazon SageMaker notebook instances have root access disabled for users. When root access is enabled, users working within the notebook can gain full administrative privileges on the underlying instance, which violates the principle of least privilege.

Risk

If root access is enabled on a SageMaker notebook instance, the security impact can be severe:

  • Data theft: Users with root access can read secrets, credentials, and copy sensitive training data
  • Code tampering: Malicious actors could modify code, packages, or Jupyter kernels without detection
  • Service disruption: Root users can disable monitoring agents or break the notebook environment
  • Lateral movement: A compromised notebook with root access can be leveraged to move through your AWS infrastructure using the instance's IAM role

Remediation Steps

Prerequisites

  • Access to the AWS Console with permissions to modify SageMaker notebook instances
  • The notebook instance must be stopped before you can change the root access setting
Required IAM permissions

To remediate this issue, you need the following IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sagemaker:DescribeNotebookInstance",
        "sagemaker:ListNotebookInstances",
        "sagemaker:StopNotebookInstance",
        "sagemaker:UpdateNotebookInstance",
        "sagemaker:StartNotebookInstance"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

  1. Open the Amazon SageMaker console
  2. In the left navigation, click Notebook instances
  3. Find the notebook instance that failed the check
  4. If the instance is running, select it and click Actions > Stop
  5. Wait for the status to change to Stopped
  6. Select the stopped instance and click Actions > Edit
  7. Scroll down to the Permissions and encryption section
  8. Under Root access, select Disabled
  9. Click Update notebook instance
  10. Once updated, click Actions > Start to restart the notebook
AWS CLI (optional)

List notebook instances to find affected resources

aws sagemaker list-notebook-instances \
    --region us-east-1 \
    --output table

Check current root access setting for a specific notebook

aws sagemaker describe-notebook-instance \
    --notebook-instance-name <your-notebook-name> \
    --region us-east-1 \
    --query '{Name: NotebookInstanceName, Status: NotebookInstanceStatus, RootAccess: RootAccess}'

Stop the notebook instance (required before updating)

aws sagemaker stop-notebook-instance \
    --notebook-instance-name <your-notebook-name> \
    --region us-east-1

Wait for the instance to stop

aws sagemaker wait notebook-instance-stopped \
    --notebook-instance-name <your-notebook-name> \
    --region us-east-1

Disable root access

aws sagemaker update-notebook-instance \
    --notebook-instance-name <your-notebook-name> \
    --root-access Disabled \
    --region us-east-1

Restart the notebook instance

aws sagemaker start-notebook-instance \
    --notebook-instance-name <your-notebook-name> \
    --region us-east-1
CloudFormation (optional)

Use this CloudFormation template to create a new SageMaker notebook instance with root access disabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: SageMaker Notebook Instance with Root Access Disabled

Parameters:
  NotebookInstanceName:
    Type: String
    Description: Name for the SageMaker notebook instance
    Default: my-secure-notebook

  InstanceType:
    Type: String
    Description: ML instance type for the notebook
    Default: ml.t3.medium
    AllowedValues:
      - ml.t3.medium
      - ml.t3.large
      - ml.t3.xlarge
      - ml.m5.xlarge
      - ml.m5.2xlarge

Resources:
  SageMakerExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: sagemaker.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSageMakerReadOnly

  SecureNotebookInstance:
    Type: AWS::SageMaker::NotebookInstance
    Properties:
      NotebookInstanceName: !Ref NotebookInstanceName
      InstanceType: !Ref InstanceType
      RoleArn: !GetAtt SageMakerExecutionRole.Arn
      RootAccess: Disabled
      DirectInternetAccess: Disabled

Outputs:
  NotebookInstanceArn:
    Description: ARN of the SageMaker Notebook Instance
    Value: !Ref SecureNotebookInstance

Key property: Set RootAccess: Disabled in the AWS::SageMaker::NotebookInstance resource.

Deploy the stack:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name secure-sagemaker-notebook \
    --capabilities CAPABILITY_IAM \
    --region us-east-1
Terraform (optional)

Use this Terraform configuration to create a SageMaker notebook instance with root access disabled:

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

variable "notebook_instance_name" {
  description = "Name for the SageMaker notebook instance"
  type        = string
  default     = "my-secure-notebook"
}

variable "instance_type" {
  description = "ML instance type for the notebook"
  type        = string
  default     = "ml.t3.medium"
}

data "aws_iam_policy_document" "sagemaker_assume_role" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "sagemaker_execution_role" {
  name               = "${var.notebook_instance_name}-execution-role"
  assume_role_policy = data.aws_iam_policy_document.sagemaker_assume_role.json
}

resource "aws_iam_role_policy_attachment" "sagemaker_readonly" {
  role       = aws_iam_role.sagemaker_execution_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerReadOnly"
}

resource "aws_sagemaker_notebook_instance" "secure_notebook" {
  name                    = var.notebook_instance_name
  instance_type           = var.instance_type
  role_arn                = aws_iam_role.sagemaker_execution_role.arn
  root_access             = "Disabled"
  direct_internet_access  = "Disabled"

  tags = {
    Environment = "production"
    Security    = "hardened"
  }
}

output "notebook_instance_arn" {
  description = "ARN of the SageMaker Notebook Instance"
  value       = aws_sagemaker_notebook_instance.secure_notebook.arn
}

Key property: Set root_access = "Disabled" in the aws_sagemaker_notebook_instance resource.

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify that root access is now disabled:

  1. In the AWS Console, go to SageMaker > Notebook instances
  2. Click on the notebook instance name to view its details
  3. Under Permissions and encryption, confirm that Root access shows Disabled
Verify with AWS CLI
aws sagemaker describe-notebook-instance \
    --notebook-instance-name <your-notebook-name> \
    --region us-east-1 \
    --query 'RootAccess'

The output should be:

"Disabled"

Additional Resources

Notes

  • Downtime required: The notebook instance must be stopped to change the root access setting. Plan for a brief interruption if the notebook is actively in use.
  • User impact: Users will no longer be able to install system-level packages with sudo. Provide necessary packages through:
    • Custom SageMaker images with pre-installed software
    • Lifecycle configuration scripts that run at instance startup
    • Conda environments for Python packages (which do not require root)
  • Existing notebooks: This change only affects new terminal sessions. Existing notebooks and code will continue to work normally.
  • New instances: For new notebook instances, always set root access to disabled from the start. Consider using Service Control Policies (SCPs) to enforce this at the organization level.