Lab: Hardening AWS Machine Learning Infrastructure
Secure AWS resources
Lab: Hardening AWS Machine Learning Infrastructure
In this lab, you will apply the Shared Responsibility Model by securing a machine learning environment. You will implement the Principle of Least Privilege using IAM roles, establish Network Isolation via a VPC, and ensure Data Security using AWS KMS encryption.
Prerequisites
- An active AWS Account.
- AWS CLI installed and configured with Administrator permissions.
- Basic knowledge of CIDR notation and IAM policies.
- A region selected for deployment (e.g.,
us-east-1).
[!IMPORTANT] Ensure your CLI user has the
AdministratorAccesspolicy attached to perform these resource creations.
Learning Objectives
- Configure an IAM Execution Role with restricted permissions for SageMaker.
- Deploy a secure VPC architecture with private subnets for ML workloads.
- Create and manage an AWS KMS Customer Master Key (CMK) for at-rest encryption.
- Apply Security Group rules to enforce the principle of least privilege at the network layer.
Architecture Overview
Step-by-Step Instructions
Step 1: Create a Least-Privilege IAM Execution Role
We will create a role that allows SageMaker to access only the specific S3 buckets and logging services it needs.
# Create the trust policy file
echo '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "sagemaker.amazonaws.com"},"Action": "sts:AssumeRole"}]}' > trust-policy.json
# Create the role
aws iam create-role --role-name brainybee-sagemaker-role --assume-role-policy-document file://trust-policy.json▶Console Alternative
Navigate to IAM > Roles > Create Role. Select AWS Service, choose SageMaker, and proceed to permissions. Add only AmazonSageMakerFullAccess (for this lab) or a custom policy for stricter control.
Step 2: Create an AWS KMS Key for Data Encryption
Security best practices require encrypting data at rest using keys you manage.
# Create the KMS Key
aws kms create-key --description "Key for ML Data Encryption"[!TIP] Note the
KeyIdfrom the output; you will need it for S3 and SageMaker configurations.
Step 3: Build a Secure Network Foundation (VPC)
Isolate your ML resources from the public internet by creating a VPC and a private subnet.
# Create the VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query 'Vpc.VpcId' --output text
# Create a Security Group to allow internal traffic only
aws ec2 create-security-group --group-name ml-security-group --description "Internal ML Traffic" --vpc-id <YOUR_VPC_ID>▶Console Alternative
Navigate to VPC Dashboard > Create VPC. Choose VPC and more to automatically generate subnets, route tables, and a network gates with a single click.
Checkpoints
- IAM Verification: Run
aws iam get-role --role-name brainybee-sagemaker-roleto ensure the role exists and has the correct trust relationship. - KMS Verification: Run
aws kms list-keysto confirm your new key is enabled. - VPC Verification: Ensure your VPC status is
availablein the EC2 dashboard.
Concept Review
| Concept | Responsibility | Implementation in this Lab |
|---|---|---|
| Least Privilege | Customer | IAM Role with sts:AssumeRole for SageMaker only. |
| Network Isolation | Customer | Placing SageMaker inside a VPC with no IGW access. |
| Data at Rest | Customer | Using AWS KMS to encrypt model artifacts. |
| Physical Security | AWS | Managing the data centers where these resources reside. |
Troubleshooting
| Error | Likely Cause | Solution |
|---|---|---|
AccessDenied when creating role | CLI user lacks IAM permissions | Attach IAMFullAccess or AdministratorAccess to your user. |
VpcLimitExceeded | Too many VPCs in the region | Delete unused VPCs or switch to a different AWS region. |
| KMS Key not found | Incorrect Region | Ensure the CLI is targeting the same region where the key was created. |
Challenge
Task: Restrict the Security Group so that it only allows inbound traffic on port 443 (HTTPS) from a specific CIDR block (e.g., your corporate VPN IP) instead of the entire VPC range.
▶Show Hint
Use the aws ec2 authorize-security-group-ingress command with the --cidr and --port flags.
Cost Estimate
- IAM/VPC: Free (standard resources).
- AWS KMS: $1/month (prorated) per key + small usage fees.
- SageMaker (if launched): Depends on instance type (e.g.,
t3.mediumis ~$0.05/hr).
Teardown
[!WARNING] To avoid recurring charges for the KMS key and any test instances, run these commands immediately after finishing.
# Delete the IAM Role
aws iam delete-role --role-name brainybee-sagemaker-role
# Schedule KMS Key deletion (7-day minimum window)
aws kms schedule-key-deletion --key-id <YOUR_KEY_ID> --pending-window-in-days 7
# Delete the VPC (Note: subnets and SGs must be deleted first if created manually)
aws ec2 delete-vpc --vpc-id <YOUR_VPC_ID>\begin{tikzpicture} \draw[thick, fill=gray!20] (0,0) rectangle (4,3); \node at (2,2.5) {\textbf{Infrastructure Layer}}; \draw[thick, fill=blue!20] (0.5,0.5) rectangle (3.5,2); \node at (2,1.25) {Isolated ML Workflow}; \draw[<->] (2,0.5) -- (2,-0.5) node[below] {Encrypted Data Channel}; \end{tikzpicture}