SageMaker notebook root access

AWS-SAGEMAKER-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if SageMaker notebook instances have root access disabled. Root access allows users to install packages and modify the operating system, increasing the attack surface.

Why it matters

SageMaker notebook instances with root access enabled allow users to install arbitrary packages, modify system configurations, and potentially escalate privileges beyond what their IAM role permits. An attacker who gains access to a root-enabled notebook can install backdoors, exfiltrate training data, modify ML models, and pivot to other AWS services using the notebook's IAM role. Root access also means users can disable security agents, modify audit logs, and install cryptominers. Disabling root access forces users to work within the Conda environment managed by SageMaker, which limits the blast radius of a compromise while still allowing installation of Python packages via pip and conda in user space.

Common causes

Root access is enabled by default on SageMaker notebook instances, and most tutorials and documentation do not mention disabling it. Data scientists request root access to install system-level dependencies for specific ML frameworks, and administrators grant it without understanding the security implications. Organizations that migrate from self-managed Jupyter environments expect root access as the norm.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws sagemaker update-notebook-instance --notebook-instance-name NOTEBOOK_NAME --root-access Disabled

Remediation: Terraform

resource "aws_sagemaker_notebook_instance" "main" {
  name          = "notebook"
  instance_type = "ml.t3.medium"
  role_arn      = aws_iam_role.sagemaker.arn
  root_access   = "Disabled"
}