SageMaker Notebook - Delete Public or UnencryptedΒΆ

The following example policy chain will detect if new SageMaker Notebooks are internet-facing (public) or unencrypted (not using KMS) at launch and then tag, stop, and delete the notebook and email the customer and cloud custodian admin. SageMaker Notebooks cannot be deleted unless they are in a Stopped status and they cannot be stopped until they are in a InService status which is why this needs a chain of policies that will trigger in order using tags and scheduled Lambda runs.

policies:


- name: sagemaker-notebook-auto-tag-user
  resource: sagemaker-notebook
  description: |
    When a new Sagemaker notebook is created tag the creators ID to CreatorName tag
  mode:
      type: cloudtrail
      events:
        - source: sagemaker.amazonaws.com
          event: CreateNotebookInstance
          ids: "responseElements.notebookInstanceArn"
  actions:
    - type: auto-tag-user
      tag: CreatorName



- name: sagemaker-notebook-tag-non-compliant
  resource: sagemaker-notebook
  description: |
    When a new Sagemaker Notebook is created that is public or not encrypted
    it will get tagged for stopping and then deletion
  mode:
      type: cloudtrail
      events:
        - source: sagemaker.amazonaws.com
          event: CreateNotebookInstance
          ids: "responseElements.notebookInstanceArn"
  filters:
    - or:
      - "DirectInternetAccess": "Enabled"
      - "KmsKeyId": absent
  actions:
    - type: tag
      key: NonCompliantTag
      value: "TRUE"



- name: sagemaker-notebook-stop-non-compliant
  resource: sagemaker-notebook
  description: |
    If a SageMaker Notebook is tagged with NonCompliantTag then it gets stopped and tagged
    with NonCompliantTagStopped for deletion
  mode:
    type: periodic
    schedule: "rate(5 minutes)"
    timeout: 45
  filters:
    - "tag:NonCompliantTag": "TRUE"
    - "NotebookInstanceStatus": "InService"
  actions:
    - type: tag
      key: NonCompliantTagStopped
      value: "TRUE"
    - stop



- name: sagemaker-notebook-delete-non-compliant
  resource: sagemaker-notebook
  description: |
    When a new Sagemaker notebook is tagged as non-compliant and in a stopped state, delete it
  mode:
    type: periodic
    schedule: "rate(5 minutes)"
    timeout: 45
  filters:
    - "tag:NonCompliantTagStopped": "TRUE"
    - "NotebookInstanceStatus": "Stopped"
  actions:
    - delete
    - type: notify
      template: default.html
      priority_header: 1
      subject: SageMaker Notebook - Deleted! - [custodian {{ account }} - {{ region }}]
      violation_desc: |
          Public facing (Non-VPC) OR Non-Encrypted Sagemaker Notebooks Are Prohibited!
          All Notebooks Must Be in VPC mode and encrypted!
      action_desc: |
          Actions Taken:  Your SageMaker Notebook Instance has been deleted due to being non-compliant.  Please create a new
          SageMaker notebook in VPC mode with KMS encryption enabled.
      to:
        - CloudCustodian@Company.com
        - resource-owner
      transport:
        type: sqs
        queue: https://sqs.us-east-1.amazonaws.com/123456789123/cloud-custodian-mailer
        region: us-east-1