SageMaker Notebook root access is enabled Affecting Sagemaker service in AWS

Severity Framework Snyk CCSS

Rule category IAM / Privileged Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00781
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Root access on SageMaker Notebook instances can lead to unauthorized system modifications and potential security breaches. It increases the risk of privilege escalation and system compromise by allowing users to execute commands with administrative privileges. This configuration should be avoided to maintain the principle of least privilege and ensure that only necessary permissions are granted to users.

How to fix?

Set the root_access attribute in an aws_sagemaker_notebook_instance resource to Disabled.

Example Configuration

resource "aws_sagemaker_notebook_instance" "allowed" {
  name          = "allowed-notebook-instance"
  role_arn      = aws_iam_role.rule-781-role.arn
  instance_type = "ml.t2.medium"
  root_access   = "Disabled"
}

Terraform

aws_sagemaker_notebook_instance