SageMaker notebook instances root access should be disabled

Root access on a SageMaker notebook instance lets any authenticated user install arbitrary packages, modify system-level configurations, disable logging agents, or exfiltrate credentials stored on the instance. In multi-user environments, a single compromised notebook account can escalate to full OS-level control.

Disabling root access enforces least privilege at the OS layer. Data scientists can still install Python packages into user-space virtual environments using lifecycle configurations, so the productivity impact is minimal. Preventing tampering with audit trails and system binaries is worth the minor workflow adjustment.

Retrofit consideration

Changing root_access on an existing notebook instance requires stopping the instance first. Running notebooks will be interrupted and any in-memory state lost.

Implementation

Choose the approach that matches how you manage Terraform.

Terraform resources

Use AWS provider resources directly. See docs for the resources involved: aws_sagemaker_notebook_instance.

resource "aws_sagemaker_notebook_instance" "this" {
  instance_type   = "ml.t2.medium"
  name            = "pofix-abc123"
  role_arn        = "arn:aws:iam::123456789012:role/example-role"
  security_groups = ["sg-12345678"]
  subnet_id       = "subnet-12345678"

  root_access = "Disabled"
}

What this control checks

In the aws_sagemaker_notebook_instance resource, root_access must be set to "Disabled". The default is "Enabled", so any instance created without this argument explicitly set fails the control. No other resource types or arguments are involved.

Common pitfalls

Default value is Enabled
The root_access argument defaults to "Enabled". Omit it and the instance is non-compliant with no warning from Terraform. Always set it explicitly.
Lifecycle configurations may require adjustment
Lifecycle configuration scripts that use sudo or write to system paths like /usr/local will throw permission errors once root access is disabled. Refactor them to install packages into user-space paths such as /home/ec2-user/SageMaker.
Stopping instance required for retrofit
Terraform will error if you try to change root_access on a running instance. The UpdateNotebookInstance API requires Stopped state. Stop the instance first with aws sagemaker stop-notebook-instance before applying the change.

Audit evidence

The AWS Config rule sagemaker-notebook-instance-root-access-check directly evaluates this setting and is the primary evidence source. Auditors also check the SageMaker console details page for each instance, confirming the "Root access" field shows "Disabled".

CloudTrail logs for CreateNotebookInstance and UpdateNotebookInstance capture the RootAccess parameter value, giving a historical record of configuration changes. Periodic Config compliance reports or third-party scanner output showing consistent "COMPLIANT" status across all instances over time strengthen the evidence package.

Framework-specific interpretation

PCI DSS v4.0: Requirement 7 restricts access to system components to business need to know. On a SageMaker notebook, root access gives authenticated users full OS control, bypassing those restrictions entirely. Disabling it keeps notebook users within the access model PCI requires.

SageMaker endpoint configuration encryption should be enabled

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: sagemaker_notebook_instance_root_access_disabled
AWS Config Managed Rule: SAGEMAKER_NOTEBOOK_INSTANCE_ROOT_ACCESS_CHECK
Checkov Check: CKV_AWS_307
Powerpipe Control: aws_compliance.control.sagemaker_notebook_instance_root_access_disabled
Prowler Check: sagemaker_notebook_instance_root_access_disabled
AWS Security Hub Control: SageMaker.3

Last reviewed: 2026-03-09