For increased security, Amazon SageMaker customers can now limit access to a notebook instance to a range of IP addresses.
IP address filtering helps when you need to allow only a subset of traffic to access your notebook instances. You might want to limit notebook access in the following ways:
-
To comply with security and compliance requirements by blocking traffic except for a specific whitelist of IP addresses.
-
To test for specific geographies or demographics.
-
To allow access for an experiment-in-progress only to a group of people.
To restrict notebook instance access by IP addresses, you need to attach IP address conditional operator policies to your AWS Identity and Access Management (IAM) roles for all users or groups that will be accessing Amazon SageMaker notebooks. IAM is a web service that helps you securely control access to AWS resources. A policy is an entity that, when attached to an identity or resource, defines their permissions.
An IAM policy with an IP address conditional operator will deny access to CreatePresignedNotebookInstanceUrl
and AuthorizedUrl
unless the call comes from an IP address in the list that you specify. The policy also restricts access to opening a notebook instance in the Amazon SageMaker console. By defining Effect
as Deny
and using the NotIpAddress
condition operator with the aws:SourceIP
key, you will block all traffic coming from the internet except the list of IP addresses that you want to have access to the notebook instance.
The IP address condition will restrict access based on comparing a key to an IPv4 or IPv6 address or range of IP addresses. The value must be in the standard CIDR format (for example, 203.0.113.0/24 or 2001:DB85678::/64). If you specify an IP address without the associated routing prefix, IAM uses the default prefix value of /32.
Here is an example policy that limits access to a notebook instance to only IP addresses in the ranges 192.0.2.0-192.0.2.255 and 203.0.113.0-203.0.113.255:
1 |
|
This approach is useful when the IP addresses for your company are within well-defined ranges. Note that using this method to filter by IP address is incompatible with connecting to Amazon SageMaker through a VPC interface endpoint. This is because Amazon SageMaker notebook instances are currently accessible only over the internet.
About the Author
Erkan Tas is a Senior Technical Product Manager for Amazon SageMaker. He is on a mission to make Artificial Intelligence easy, accessible, and scalable through AWS platforms. He is also a sailor, science and nature admirer, Go and Stratocaster player.