AWS Security ChangesHomeSearch

AWS sagemaker high security documentation change

Service: sagemaker · 2025-08-28 · Security-related high

File: sagemaker/latest/dg/studio-updated-local-get-started.md

Summary

Added documentation about Rootless Docker configuration including security enhancements, VPC routing changes, and configuration requirements

Security assessment

The change introduces Rootless Docker configuration which explicitly references enhanced security through rootless Docker daemon usage (a known security improvement). The documentation states this provides 'enhanced security' and changes network access patterns through VPC routing.

Diff

diff --git a/sagemaker/latest/dg/studio-updated-local-get-started.md b/sagemaker/latest/dg/studio-updated-local-get-started.md
index a8843c0ba..50670f342 100644
--- a//sagemaker/latest/dg/studio-updated-local-get-started.md
+++ b//sagemaker/latest/dg/studio-updated-local-get-started.md
@@ -5 +5 @@
-PrerequisitesSetting EnableDockerAccessDocker installation
+PrerequisitesSetting EnableDockerAccessRootless Docker configurationDocker installation
@@ -37,0 +38,2 @@ Complete the following prerequisites to use local mode in Studio applications:
+  * For the Rootless Docker configuration, ensure your VPC has appropriate endpoints and routing configured for your desired Docker registries.
+
@@ -95,0 +98,20 @@ To configure a list of additional trusted AWS accounts, specify the `VpcOnlyTrus
+###### Note
+
+When the Rootless Docker configuration is enabled, `VpcOnlyTrustedAccounts` is ignored and Docker traffic routes through your VPC configuration, allowing access to any registry your VPC can reach.
+
+## Rootless Docker configuration
+
+When [`RootlessDocker`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DockerSettings.html) is enabled, Studio uses a [rootless Docker daemon](https://docs.docker.com/engine/security/rootless/) that routes traffic through your VPC. This provides enhanced security and allows access to additional Docker registries. The key differences with `RootlessDocker` are:
+
+  * Container ports are accessible using the Docker gateway IP (`172.17.0.1`) instead of localhost.
+
+  * Your VPC configuration determines which registries are accessible for Docker operations. `VpcOnlyTrustedAccounts` is ignored and Docker traffic routes through your VPC configuration.
+
+
+
+
+To use rootless Docker, you will need to set both `EnableDockerAccess` and `RootlessDocker` to `ENABLED` for your `DockerSettings`. For example, in the Setting EnableDockerAccess examples above, you can modify your domain settings to include:
+    
+    
+    '{"DockerSettings": {"EnableDockerAccess": "ENABLED", "RootlessDocker": "ENABLED"}}'
+