AWS Machine Learning Blog

Control root access to Amazon SageMaker notebook instances

Amazon SageMaker recently introduced the ability to enable and disable root access for notebook users. Before I give you a preview of how you can implement this new feature using the AWS Management Console and Amazon SageMaker API actions, I’ll explain why controlling root access for users is helpful.

Amazon SageMaker provides fully managed notebook instances that run industry-standard open-source interactive computing software, Jupyter Notebooks. You can use Jupyter Notebooks to clean and transform data, visualize data, run numerical simulations, build statistical and machine learning (ML) models, and much more.

Data science is an iterative process, which might require data scientists and developers to test and use different software and packages. During the planning and experimentation stages of projects having root access gives you the flexibility to modify Jupyter Notebook environments as needed.

However, for our customers who need to comply with specific security policies, it’s important to ensure a segregation between the notebook user and the root of the hosting computer. Since root access means having administrator privileges, users with root access can access and edit all files on the compute instance, including system-critical files. Removing root access prevents notebook users from deleting system-level software, installing new software, and modifying essential environment components.

With the new option, Amazon SageMaker customers can now use the AWS Management Console and Amazon SageMaker API actions to enable or disable root access for their notebook instances.

Note: Lifecycle configurations, which are shell scripts you can use to set up and customize notebook instances, give administrators the ability to employ custom configurations even when the notebook instance is set up to have no root access for the user. That’s why lifecycle configurations always run as the root user for the associated notebook instances regardless of however root access permission is defined.

Control root access using the AWS Management Console

When creating new notebook instances or updating existing ones with the AWS Management Console, you can choose to enable or disable root access on the Permissions and encryption menu. For detailed instructions on how to create notebook instances with Amazon SageMaker, follow the steps provided in the Amazon SageMaker Developer Guide.

Control root access with Amazon SageMaker API actions

When you’re calling the CreateNotebookInstance and UpdateNotebookInstance API actions, you can use Enabled or Disabled as parameters to define the string value for ”RootAccess”. Here is an example JSON template to be passed with API actions:

{
   "AcceleratorTypes": [ "string" ],
   "AdditionalCodeRepositories": [ "string" ],
   "DefaultCodeRepository": "string",
   "DirectInternetAccess": "string",
   "InstanceType": "string",
   "KmsKeyId": "string",
   "LifecycleConfigName": "string",
   "NotebookInstanceName": "string",
   "RoleArn": "string",
   "RootAccess": "Disabled",
   "SecurityGroupIds": [ "string" ],
   "SubnetId": "string",
   "Tags": [ 
      { 
         "Key": "string",
         "Value": "string"
      }
   ],
   "VolumeSizeInGB": number
}

Conclusion

The ability to control root access for notebook instances adds flexibility and security to the administration of Jupyter Notebook environments. To learn more about Amazon SageMaker and start with Jupyter Notebooks, visit the Amazon SageMaker webpage. For more information about managing root access for notebook instances, see the Amazon SageMaker Developer Guide.


About the Author

Erkan Tas is a Sr. Product Manager for Amazon SageMaker. He is on a mission to make Artificial Intelligence easy, accessible, and scalable through cloud platforms. He is also a sailor, science and nature admirer, Go and Stratocaster player.