AWS SageMaker Notebook instances allow direct internet access which may cause unauthorized access.
Once a SageMaker Notebook Instance has been created, the networking configuration cannot be changed and a new instance will need to be created with the desired configuration. For control over a notebook instance Direct internet access, ensure that the security group is configured with an appropriate NAT gateway (see AWS documentation below). To create a new instance with the recommended settings, follow the steps below.
In AWS Console -
In Terraform -
References:
https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html
https://aws.amazon.com/premiumsupport/knowledge-center/sagemaker-notebook-vpc-troubleshoot/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#direct_internet_access
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#subnet_id
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#security_groups