AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-04-25 · Documentation medium

File: securityhub/latest/userguide/sagemaker-controls.md

Summary

Added new security control SageMaker.19 for SageMaker models to use private registry in VPC for multi-container inference pipelines.

Security assessment

The change introduces a new security control focused on best practices to mitigate risks like supply chain attacks by ensuring container images are pulled from trusted sources within a VPC. It does not address a specific reported vulnerability or incident, but proactively enhances security posture.

Diff

diff --git a/securityhub/latest/userguide/sagemaker-controls.md b/securityhub/latest/userguide/sagemaker-controls.md
index 0622f4e21..9e5a05fd5 100644
--- a//securityhub/latest/userguide/sagemaker-controls.md
+++ b//securityhub/latest/userguide/sagemaker-controls.md
@@ -7 +7 @@
-[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC[SageMaker.3] Users should not have root access to SageMaker notebook instances[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1[SageMaker.5] SageMaker models should have network isolation enabled[SageMaker.6] SageMaker app image configurations should be tagged[SageMaker.7] SageMaker images should be tagged[SageMaker.8] SageMaker notebook instances should run on supported platforms[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled[SageMaker.16] SageMaker models should use private registry in VPC for primary containers[SageMaker.17] SageMaker feature group offline stores should be encrypted with AWS KMS keys
+[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC[SageMaker.3] Users should not have root access to SageMaker notebook instances[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1[SageMaker.5] SageMaker models should have network isolation enabled[SageMaker.6] SageMaker app image configurations should be tagged[SageMaker.7] SageMaker images should be tagged[SageMaker.8] SageMaker notebook instances should run on supported platforms[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled[SageMaker.16] SageMaker models should use private registry in VPC for primary containers[SageMaker.17] SageMaker feature group offline stores should be encrypted with AWS KMS keys[SageMaker.19] SageMaker models should use private registry in VPC for multi-container inference pipelines
@@ -423,0 +424,22 @@ For information on enabling encryption at rest for SageMaker Feature Store offli
+## [SageMaker.19] SageMaker models should use private registry in VPC for multi-container inference pipelines
+
+**Category:** Protect > Secure network configuration > Resources within VPC
+
+**Severity:** Medium
+
+**Resource type:** `AWS::SageMaker::Model`
+
+**AWS Config rule:** [sagemaker-model-multicontainer-private-registry](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-model-multicontainer-private-registry.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:** None
+
+This control checks whether Amazon SageMaker AI models with multi-container inference pipelines pull container images from a private Docker registry in a VPC. The control fails if any container definition does not have image configuration or has repository access mode set to platform.
+
+Using a private Docker registry in a VPC for SageMaker AI multi-container inference pipelines ensures container images are pulled from trusted, controlled sources within your VPC. This ensures container images are accessed through VPC endpoints, without traversing the public internet, reducing the risk of supply chain attacks or image tampering.
+
+### Remediation
+
+To configure private docker registries for SageMaker AI real-time inference containers, see [Use a Private Docker Registry for Real-Time Inference Containers](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-containers-inference-private.html) in the _Amazon SageMaker AI Developer Guide_.
+