AWSOverview
Because users with root access have administrator privileges, users can access and edit all files on a notebook instance with root access enabled.
In order to prevent data breaches, data tampering, privilege escalation, and other possible threats, disabling root access to the notebook is recommended.
Remediation guidance
- Open the Notebook in the AWS Console using the dedicated button
- Press the
Stopbutton - Once the status of the notebook is
Stopped, press theEditbutton - In the
Permissions and encryption settingschooseDisable - Don't give users root access to the notebook - Click
Update notebook instance - Start the notebook
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
SageMaker Notebooks with root access enabled
Connectors
Covered asset types
Expected check: eq []
{
sageMakerNoteBooks(
where: {
NOT: { rootAccess: "Disabled" }
}
) {...AssetFragment}
}
