You can access Amazon SageMaker Studio notebooks from the Amazon SageMaker console via AWS Identity and Access Management (IAM) authenticated federation from your identity provider (IdP), such as Okta. When a Studio user opens the notebook link, Studio validates the federated user’s IAM policy to authorize access, and generates and resolves the presigned URL for the user. Because the SageMaker console runs on an internet domain, this generated presigned URL is visible in the browser session. This presents an undesired threat vector for exfiltration and gaining access to customer data when proper access controls are not enforced.
Studio supports a few methods for enforcing access controls against presigned URL data exfiltration:
Client IP validation using the IAM policy condition aws:sourceIp
Client VPC validation using the IAM condition aws:sourceVpc
Client VPC endpoint validation using the IAM policy condition aws:sourceVpce
When you access Studio notebooks from the