Skip to content
Ask AI about this
Help improve this page

SageMaker notebook instances should be in a VPC

A SageMaker notebook instance launched outside a VPC gets a public internet connection by default. Data scientists can pull from and push to arbitrary internet endpoints without any network-layer controls. You lose the ability to enforce security groups, NACLs, VPC Flow Logs, and PrivateLink connectivity to other AWS services.

Placing notebooks in a VPC lets you control egress with route tables and NAT gateways, monitor traffic with Flow Logs, and restrict access to S3 and other services through VPC endpoints. For environments handling sensitive training data, this is a baseline expectation, not an optional hardening step.

Retrofit consideration

Moving an existing notebook instance into a VPC requires recreating it. The subnet_id argument forces replacement of aws_sagemaker_notebook_instance. Back up any local notebook files stored on the instance volume before applying changes.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_sagemaker_notebook_instance.

resource "aws_sagemaker_notebook_instance" "this" {
  instance_type   = "ml.t2.medium"
  name            = "pofix-abc123"
  role_arn        = "arn:aws:iam::123456789012:role/example-role"
  security_groups = ["sg-12345678"]

  subnet_id = "subnet-12345678"
}

What this control checks

This control validates that the aws_sagemaker_notebook_instance resource has subnet_id set to a valid VPC subnet. A notebook that omits subnet_id launches on AWS-managed networking outside your VPC and fails. To pass, set subnet_id pointing to a private subnet in your VPC. Set security_groups to attach one or more VPC security groups controlling inbound and outbound traffic. A passing configuration looks like:

subnet_id = a reference to an aws_subnet resource ID security_groups = a list of aws_security_group IDs

If subnet_id is null or absent, the control fails. If direct_internet_access is set to "Enabled" alongside a VPC subnet, the instance passes this control but may fail separate controls that check for direct internet access on VPC-attached notebooks.

Common pitfalls

  • Notebook recreation on subnet_id change

    subnet_id is a ForceNew attribute, so adding or changing it destroys and recreates the instance. Any data under /home/ec2-user/SageMaker on the EBS volume is gone unless you snapshot it or use a lifecycle configuration script to sync it to S3 first.

  • Missing VPC endpoints block S3 and API access

    A private subnet without NAT or VPC endpoints breaks access to S3, SageMaker APIs, and package repositories. At minimum you need a com.amazonaws.<region>.s3 gateway endpoint and a com.amazonaws.<region>.sagemaker.api interface endpoint, or a NAT gateway for general outbound access.

  • direct_internet_access should be set explicitly

    Setting subnet_id alone doesn't disable internet access. direct_internet_access defaults to "Enabled", so set it explicitly to "Disabled" when you need traffic restricted to private VPC paths and approved endpoints.

  • Security groups default to VPC default SG

    Omit security_groups and SageMaker falls back to the VPC's default security group, which allows all outbound traffic and self-referencing inbound. Specify explicit security groups that match your actual access requirements.

Audit evidence

An auditor expects Config rule results for the managed rule sagemaker-notebook-instance-inside-vpc showing all notebook instances as compliant. Console evidence from the SageMaker Notebook Instances page should show a VPC and subnet under the "Network" section for each instance. VPC Flow Logs on the associated subnet confirm that notebook traffic is flowing through controlled paths rather than direct internet.

The aws sagemaker describe-notebook-instance CLI call returns SubnetId and SecurityGroups; a missing or empty SubnetId confirms non-compliance.

Framework-specific interpretation

PCI DSS v4.0: PCI DSS Requirement 1 calls for network controls that restrict traffic between trusted and untrusted networks. Notebooks outside a VPC have no firewall boundary, which puts cardholder data environments at direct internet exposure. Requirement 1.3 specifically asks for controls blocking unauthorized inbound and outbound traffic, which is what security groups and NACLs on VPC-placed notebooks provide.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: sagemaker_notebook_instance_in_vpc

  • AWS Config Managed Rule: SAGEMAKER_NOTEBOOK_INSTANCE_INSIDE_VPC

  • Checkov Check: CKV_AWS_306

  • Powerpipe Control: aws_compliance.control.sagemaker_notebook_instance_in_vpc

  • Prowler Check: sagemaker_notebook_instance_vpc_settings_configured

  • AWS Security Hub Control: SageMaker.2

Last reviewed: 2026-03-09