Skip to content
Ask AI about this
Help improve this page

SageMaker models should have network isolation enabled

SageMaker inference containers are internet-connected by default. A compromised or malicious model artifact can exfiltrate training data, customer inputs, or model weights to an external endpoint without any network-level barrier. Enabling network isolation blocks all outbound networking from the container; it can only receive data via the SageMaker invocation API and write outputs to S3 through the platform's internal data channels.

Pay particular attention to models sourced from third-party marketplaces or trained on sensitive data, where auditing the container's runtime behavior isn't always practical.

Retrofit consideration

Enabling network isolation on existing models requires redeploying the model. If your inference container downloads assets at startup (e.g., pulling weights from an external URL or calling a license server), it will fail after isolation is enabled. Verify the container works fully offline before flipping this setting.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_sagemaker_model.

resource "aws_sagemaker_model" "this" {
  execution_role_arn = "arn:aws:iam::123456789012:role/example-role"
  name               = "pofix-abc123"

  primary_container {
    image = "123456789012.dkr.ecr.us-east-1.amazonaws.com/sagemaker-prebuilt-image"
  }

  vpc_config {
    security_group_ids = ["sg-12345678"]
    subnets            = ["subnet-12345678", "subnet-12345678"]
  }

  enable_network_isolation = true
}

What this control checks

The aws_sagemaker_model resource must have enable_network_isolation set to true. It fails when the argument is omitted or set to false. No VPC configuration is required for this argument; it independently controls whether the container has any outbound network connectivity.

Example passing configuration:

enable_network_isolation = true

This is separate from VPC placement via vpc_config. Network isolation blocks all outbound traffic from the container regardless of whether the model is placed in a VPC.

Common pitfalls

  • Containers that fetch external dependencies at startup will break

    If your inference container fetches model weights, config files, or license tokens from external URLs during initialization, it will hang or crash with enable_network_isolation = true blocking all outbound connections. Package all dependencies into the container image or stage them through the S3 model artifact (primary_container.model_data_url) before enabling isolation.

  • Network isolation does not replace VPC placement

    VPC placement and network isolation are independent settings. enable_network_isolation = true blocks outbound traffic but doesn't put the model in a private VPC. If you also need to control inbound routing or use VPC endpoints for S3 access, configure the vpc_config block with subnets and security_group_ids separately.

  • Multi-container inference pipelines apply isolation per model

    With multi-container models, enable_network_isolation applies to all containers in the aws_sagemaker_model resource. You can't isolate selectively. If any container in the pipeline needs external network access, you'll need to restructure the pipeline or pre-stage all required data before deployment.

  • Default value is false

    Omitting enable_network_isolation from an aws_sagemaker_model resource leaves isolation off. The default is false, so any module wrapping SageMaker model creation that doesn't explicitly set this will produce non-compliant models. Expose the variable and default it to true in any shared module.

Audit evidence

Auditors look for all AWS::SageMaker::Model resources with EnableNetworkIsolation: true across every in-scope region. The DescribeModel API response for each model should show "EnableNetworkIsolation": true; console screenshots from the SageMaker Models page are supplementary.

For ongoing assurance, CloudTrail logs of CreateModel events should show EnableNetworkIsolation: true in the request parameters, confirming no non-isolated models were created during the audit period.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: sagemaker_model_network_isolation_enabled

  • AWS Config Managed Rule: SAGEMAKER_MODEL_ISOLATION_ENABLED

  • Checkov Check: CKV_AWS_370

  • Powerpipe Control: aws_compliance.control.sagemaker_model_network_isolation_enabled

  • Prowler Check: sagemaker_models_network_isolation_enabled

  • AWS Security Hub Control: SageMaker.5

Last reviewed: 2026-03-09