These EC2 resources can be mapped to your VPC environment allowing you to apply your network level controls, such as security groups, to the notebooks, training jobs, and hosted ML models.Īmazon SageMaker does this by creating an ENI in your specified VPC and attaching it to the EC2 infrastructure in the service account. SageMaker runs the infrastructure for these components using EC2 resources dedicated to yourself. Managed and GovernedĪmazon SageMaker provides managed EC2-based services such as Jupyter notebooks, training jobs, and hosted ML models. Here we will use the lifecycle scripts to download some open source libraries from the pip mirror we created, create an sagemaker_environment.py file to keep track of variables such as the network configuration, KMS keys that can be imported directly, without giving the datascientist access to them. Using these scripts you can ensure that monitoring agents are installed or other types of hardening are performed to ensure that the system is in a specific state before allowing users to access the system. These configuration scripts can execute on system creation, system startup, or both. These are shell scripts which execute on system bootstrap, before the notebook is made available to users. In addition to the measures described above you also have the ability to specify Lifecycle Configurations. They will still have permissions to install things like Python modules into their user environment, but they will not be able to modify the wider system of the notebook server. This can be limited in the Jupyter Notebook configuration which will remove the user’s permission to assume the root user. This user also typically has permissions to sudo to the root user. If you’re familiar with Amazon Linux this is the default username that you use to gain access to an AWS EC2 instance. When a user access the shell, they will be logged into the EC2 instance as ec2-user. By default the Jupyter Web UI will allow you to open a shell terminal. The very nature of software development means that users can obtain some OS-level access to the Jupyter notebook server. By doing this you can easily encrypt all of the data stored on the Jupyter Notebook server by default. Both of these volumes are encrypted using a SageMaker service-managed KMS key, although you can specify a CMK to be used to encrypt the storage volume. Encryption at restĪs mentioned the EC2 instance has two EBS volumes mapped to it. To keep a SageMaker notebook up to date and to save costs it is recommended to stop a Jupyter notebook server when it is not needed and to restart it when you need to use it. However please note that if you make any changes to files on the system drive you will need to make those changes again as they will be destroyed in the stopping and starting of the notebook server. This will refresh the system drive without any maintenance required on your part. To patch your Jupyter Notebook to the latest versions simply stop the notebook and start it again. Over time your EC2 instance can become out of date, going unpatched. The second hosts your data and anything you put into /home/ec2-user/SageMaker. This hosts the operating system, Anaconda, and Jupyter server software. The first is the system drive and is ephemeral.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |