add: PreventDirectInternetAccessSageMakerNotebook

ach-mk · ach-mk · commit fefca6a387fa · 2025-03-04T16:05:39.000+01:00
diff --git a/service_control_policies/README.md b/service_control_policies/README.md
@@ -236,4 +236,10 @@ Services such as Lambda, AWS Glue, CloudShell, and SageMaker support different d
 ### "Sid": "PreventNonVpcOnlySageMakerDomain"
 
 This statement is included in the [data_perimeter_governance_policy_2.json](data_perimeter_governance_policy_2.json) and prevents users from creating [Amazon SageMaker domains](https://docs.aws.amazon.com/sagemaker/latest/dg/sm-domain.html) that can access the internet through a VPC managed by SageMaker, or updating SageMaker domains to allow access to the internet through a VPC managed by SageMaker.    
-For more details, see the definition of the parameter [`AppNetworkAccessType`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html#sagemaker-UpdateDomain-request-AppNetworkAccessType) in the Amazon SageMaker API Reference.
+For more details, see the definition of the parameter [`AppNetworkAccessType`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html#sagemaker-UpdateDomain-request-AppNetworkAccessType) in the Amazon SageMaker API Reference.
+
+
+### "Sid": "PreventDirectInternetAccessSageMakerNotebook"
+
+This statement is included in the [data_perimeter_governance_policy_2.json](data_perimeter_governance_policy_2.json) and prevents users from creating [Amazon SageMaker Notebooks Instances](https://docs.aws.amazon.com/sagemaker/latest/dg/nbi.html) that can access the internet through a VPC managed by SageMaker.        
+For more details, see [Connect a Notebook Instance in a VPC to External Resources](https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html) in the Amazon SageMaker documentation.
diff --git a/service_control_policies/data_perimeter_governance_policy_2.json b/service_control_policies/data_perimeter_governance_policy_2.json
@@ -113,6 +113,19 @@
             }
          }
       },
+      {
+         "Sid": "PreventDirectInternetAccessSageMakerNotebook",
+         "Effect": "Deny",
+         "Action": [
+            "sagemaker:CreateNotebookInstance"
+         ],
+        "Resource": "*",
+        "Condition": {
+            "StringEquals": {
+               "sagemaker:DirectInternetAccess": "Enabled"
+            }
+         }
+      },
       {
          "Sid":"PreventNonVPCDeploymentLambda",
          "Effect":"Deny",
