feat(reorganize_folders): Merge checks. (#1196)

Co-authored-by: sergargar <sergio@verica.io>
2026-02-10 14:55:00 +00:00 · 2022-06-14 13:10:26 +02:00
parent 36fcab17f3
commit eb679f50f1
238 changed files with 0 additions and 549 deletions
--- a/providers/aws/services/sagemaker/check_extra7103
+++ b/providers/aws/services/sagemaker/check_extra7103
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7103="7.103"
+CHECK_TITLE_extra7103="[extra7103] Check if Amazon SageMaker Notebook instances have root access disabled"
+CHECK_SCORED_extra7103="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7103="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7103="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7103="extra7103"
+CHECK_SEVERITY_extra7103="Medium"
+CHECK_SERVICENAME_extra7103="sagemaker"
+CHECK_RISK_extra7103='Users with root access have administrator privileges; users can access and edit all files on a notebook instance with root access enabled.'
+CHECK_REMEDIATION_extra7103='set the RootAccess field to Disabled. You can also disable root access for users when you create or update a notebook instance in the Amazon SageMaker console.'
+CHECK_DOC_extra7103='https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access.html'
+CHECK_CAF_EPIC_extra7103='IAM'
+
+extra7103(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list notebook instances" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_INSTANCES ]];then
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_ROOTACCESS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'RootAccess' --output text)
+                if [[ "${SM_NB_ROOTACCESS}" == "Enabled" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has root access enabled" "${regx}" "$nb_instance"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has root access disabled" "${regx}" "$nb_instance"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi
+    done
+}
--- a/providers/aws/services/sagemaker/check_extra7104
+++ b/providers/aws/services/sagemaker/check_extra7104
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7104="7.104"
+CHECK_TITLE_extra7104="[extra7104] Check if Amazon SageMaker Notebook instances have VPC settings configured"
+CHECK_SCORED_extra7104="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7104="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7104="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7104="extra7104"
+CHECK_SEVERITY_extra7104="Medium"
+CHECK_SERVICENAME_extra7104="sagemaker"
+CHECK_RISK_extra7104='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7104='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7104='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
+CHECK_CAF_EPIC_extra7104='Infrastructure Security'
+
+extra7104(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list notebook instances" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_INSTANCES ]];then
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_SUBNETID=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'SubnetId' --output text)
+                if [[ "${SM_NB_SUBNETID}" == "None" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has VPC settings disabled" "${regx}" "$nb_instance"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance is in a VPC" "${regx}" "$nb_instance"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi
+    done
+}
--- a/providers/aws/services/sagemaker/check_extra7105
+++ b/providers/aws/services/sagemaker/check_extra7105
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7105="7.105"
+CHECK_TITLE_extra7105="[extra7105] Check if Amazon SageMaker Models have network isolation enabled"
+CHECK_SCORED_extra7105="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7105="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7105="AwsSageMakerModel"
+CHECK_ALTERNATE_check7105="extra7105"
+CHECK_SEVERITY_extra7105="Medium"
+CHECK_SERVICENAME_extra7105="sagemaker"
+CHECK_RISK_extra7105='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7105='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7105='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
+CHECK_CAF_EPIC_extra7105='Infrastructure Security'
+
+extra7105(){
+	for regx in ${REGIONS}; do
+		LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_MODELS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list models" "$regx"
+            continue
+        fi
+		if [[ $LIST_SM_NB_MODELS ]];then
+			for nb_model_name in $LIST_SM_NB_MODELS; do
+				SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'EnableNetworkIsolation' --output text)
+				if [[ $SM_NB_NETWORKISOLATION == False ]]; then
+					textFail "${regx}: SageMaker Model $nb_model_name has network isolation disabled" "${regx}" "$nb_model_name"
+				else
+					textPass "${regx}: SageMaker Model $nb_model_name has network isolation enabled" "${regx}" "$nb_model_name"
+				fi
+			done
+		else
+			textInfo "${regx}: No Sagemaker Models found" "${regx}"
+		fi
+	done
+}
--- a/providers/aws/services/sagemaker/check_extra7106
+++ b/providers/aws/services/sagemaker/check_extra7106
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7106="7.106"
+CHECK_TITLE_extra7106="[extra7106] Check if Amazon SageMaker Models have VPC settings configured"
+CHECK_SCORED_extra7106="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7106="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7106="AwsSageMakerModel"
+CHECK_ALTERNATE_check7106="extra7106"
+CHECK_SEVERITY_extra7106="Medium"
+CHECK_SERVICENAME_extra7106="sagemaker"
+CHECK_RISK_extra7106='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7106='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7106='https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html'
+CHECK_CAF_EPIC_extra7106='Infrastructure Security'
+
+extra7106(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_MODELS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-models --query 'Models[*].ModelName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_MODELS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list models" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_MODELS ]];then
+            for nb_model_name in $LIST_SM_NB_MODELS; do
+                SM_NB_VPCCONFIG=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-model --model-name $nb_model_name --query 'VpcConfig.Subnets' --output text)
+                if [[ $SM_NB_VPCCONFIG == "None" ]]; then
+                    textFail "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings disabled" "${regx}" "$nb_model_name"
+                else
+                    textPass "${regx}: Amazon SageMaker Model $nb_model_name has VPC settings enabled" "${regx}" "$nb_model_name"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Models found" "${regx}"
+        fi
+    done
+}
--- a/providers/aws/services/sagemaker/check_extra7107
+++ b/providers/aws/services/sagemaker/check_extra7107
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7107="7.107"
+CHECK_TITLE_extra7107="[extra7107] Check if Amazon SageMaker Training jobs have intercontainer encryption enabled"
+CHECK_SCORED_extra7107="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7107="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7107="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7107="extra7107"
+CHECK_SEVERITY_extra7107="Medium"
+CHECK_SERVICENAME_extra7107="sagemaker"
+CHECK_RISK_extra7107='If not restricted unintended access could happen.'
+CHECK_REMEDIATION_extra7107='Internetwork communications support TLS 1.2 encryption between all components and clients.'
+CHECK_DOC_extra7107='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
+CHECK_CAF_EPIC_extra7107='Data Protection'
+
+extra7107(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_JOBS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list training jobs" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_JOBS ]];then
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_INTERCONTAINERENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableInterContainerTrafficEncryption' --output text)
+                if [[ $SM_NB_INTERCONTAINERENCRYPTION == "False" ]]; then
+                    textFail "${regx}: SageMaker Training job $nb_job_name has intercontainer encryption disabled" "${regx}" "$nb_job_name"
+                else
+                    textPass "${regx}: SageMaker Training jobs $nb_job_name has intercontainer encryption enabled" "${regx}" "$nb_job_name"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Training found" "${regx}"
+        fi
+    done
+}
--- a/providers/aws/services/sagemaker/check_extra7108
+++ b/providers/aws/services/sagemaker/check_extra7108
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7108="7.108"
+CHECK_TITLE_extra7108="[extra7108] Check if Amazon SageMaker Training jobs have volume and output with KMS encryption enabled"
+CHECK_SCORED_extra7108="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7108="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7108="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7108="extra7108"
+CHECK_SEVERITY_extra7108="Medium"
+CHECK_SERVICENAME_extra7108="sagemaker"
+CHECK_RISK_extra7108='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
+CHECK_REMEDIATION_extra7108='Specify AWS KMS keys to use for input and output from S3 and EBS.'
+CHECK_DOC_extra7108='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html'
+CHECK_CAF_EPIC_extra7108='Data Protection'
+
+extra7108(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_JOBS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list training jobs" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_JOBS ]];then
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_JOB_KMSENCRYPTION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'ResourceConfig.VolumeKmsKeyId' --output text)
+                if [[ "${SM_JOB_KMSENCRYPTION}" == "None" ]];then
+                    textFail "${regx}: Sagemaker Trainings job $nb_job_name has KMS encryption disabled" "${regx}" "$nb_job_name"
+                else
+                    textPass "${regx}: Sagemaker Trainings job $nb_job_name has KSM encryption enabled" "${regx}" "$nb_job_name"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi
+    done
+}
--- a/providers/aws/services/sagemaker/check_extra7109
+++ b/providers/aws/services/sagemaker/check_extra7109
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7109="7.109"
+CHECK_TITLE_extra7109="[extra7109] Check if Amazon SageMaker Training jobs have network isolation enabled"
+CHECK_SCORED_extra7109="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7109="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7109="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7109="extra7109"
+CHECK_SEVERITY_extra7109="Medium"
+CHECK_SERVICENAME_extra7109="sagemaker"
+CHECK_RISK_extra7109='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7109='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7109='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
+CHECK_CAF_EPIC_extra7109='Infrastructure Security'
+
+extra7109(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_JOBS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list training jobs" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_JOBS ]];then
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_NETWORKISOLATION=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'EnableNetworkIsolation' --output text)
+                if [[ $SM_NB_NETWORKISOLATION == False ]]; then
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has network isolation disabled" "${regx}" "$nb_job_name"
+                else
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has network isolation enabled" "${regx}" "$nb_job_name"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi
+    done
+}
--- a/providers/aws/services/sagemaker/check_extra7110
+++ b/providers/aws/services/sagemaker/check_extra7110
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7110="7.110"
+CHECK_TITLE_extra7110="[extra7110] Check if Amazon SageMaker Training job have VPC settings configured."
+CHECK_SCORED_extra7110="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7110="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7110="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7110="extra7110"
+CHECK_SEVERITY_extra7110="Medium"
+CHECK_SERVICENAME_extra7110="sagemaker"
+CHECK_RISK_extra7110='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7110='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7110='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
+CHECK_CAF_EPIC_extra7110='Infrastructure Security'
+
+extra7110(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_JOBS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-training-jobs --query 'TrainingJobSummaries[*].TrainingJobName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_JOBS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list training jobs" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_JOBS ]];then
+            for nb_job_name in $LIST_SM_NB_JOBS; do
+                SM_NB_SUBNETS=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-training-job --training-job-name $nb_job_name --query 'VpcConfig.Subnets' --output text)
+                if [[ $SM_NB_SUBNETS == "None" ]]; then
+                    textFail "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output disabled" "${regx}" "$nb_job_name"
+                else
+                    textPass "${regx}: Sagemaker Training job $nb_job_name has VPC settings for the training job volume and output enabled" "${regx}" "$nb_job_name"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Trainings jobs found" "${regx}"
+        fi
+    done
+}
--- a/providers/aws/services/sagemaker/check_extra7111
+++ b/providers/aws/services/sagemaker/check_extra7111
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7111="7.111"
+CHECK_TITLE_extra7111="[extra7111] Check if Amazon SageMaker Notebook instances have direct internet access"
+CHECK_SCORED_extra7111="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7111="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7111="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7111="extra7111"
+CHECK_SEVERITY_extra7111="Medium"
+CHECK_SERVICENAME_extra7111="sagemaker"
+CHECK_RISK_extra7111='This could provide an avenue for unauthorized access to your data.'
+CHECK_REMEDIATION_extra7111='Restrict which traffic can access by launching Studio in a Virtual Private Cloud (VPC) of your choosing.'
+CHECK_DOC_extra7111='https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html'
+CHECK_CAF_EPIC_extra7111='Infrastructure Security'
+
+extra7111(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list notebook instances" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_INSTANCES ]];then
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_DIRECTINET=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'DirectInternetAccess' --output text)
+                if [[ "${SM_NB_DIRECTINET}" == "Enabled" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access enabled" "${regx}" "$nb_instance"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has direct internet access disabled" "${regx}" "$nb_instance"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi
+    done
+}
--- a/providers/aws/services/sagemaker/check_extra7112
+++ b/providers/aws/services/sagemaker/check_extra7112
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2020) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra7112="7.112"
+CHECK_TITLE_extra7112="[extra7112] Check if Amazon SageMaker Notebook instances have data encryption enabled"
+CHECK_SCORED_extra7112="NOT_SCORED"
+CHECK_CIS_LEVEL_extra7112="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7112="AwsSageMakerNotebookInstance"
+CHECK_ALTERNATE_check7112="extra7112"
+CHECK_SEVERITY_extra7112="Medium"
+CHECK_SERVICENAME_extra7112="sagemaker"
+CHECK_RISK_extra7112='Data exfiltration could happen if information is not protected. KMS keys provide additional security level to IAM policies.'
+CHECK_REMEDIATION_extra7112='Specify AWS KMS keys to use for input and output from S3 and EBS.'
+CHECK_DOC_extra7112='https://docs.aws.amazon.com/sagemaker/latest/dg/key-management.html'
+CHECK_CAF_EPIC_extra7112='Data Protection'
+
+extra7112(){
+    for regx in ${REGIONS}; do
+        LIST_SM_NB_INSTANCES=$($AWSCLI $PROFILE_OPT --region $regx sagemaker list-notebook-instances --query 'NotebookInstances[*].NotebookInstanceName' --output text 2>&1)
+        if [[ $(echo "$LIST_SM_NB_INSTANCES" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+            textInfo "$regx: Access Denied trying to list notebook instances" "$regx"
+            continue
+        fi
+        if [[ $LIST_SM_NB_INSTANCES ]];then
+            for nb_instance in $LIST_SM_NB_INSTANCES; do
+                SM_NB_KMSKEY=$($AWSCLI $PROFILE_OPT --region $regx sagemaker describe-notebook-instance --notebook-instance-name $nb_instance --query 'KmsKeyId' --output text)
+                if [[ "${SM_NB_KMSKEY}" == "None" ]]; then
+                    textFail "${regx}: Sagemaker Notebook instance $nb_instance has data encryption disabled" "${regx}" "$nb_instance"
+                else
+                    textPass "${regx}: Sagemaker Notebook instance $nb_instance has data encryption enabled" "${regx}" "$nb_instance"
+                fi
+            done
+        else
+            textInfo "${regx}: No Sagemaker Notebook instances found" "${regx}"
+        fi
+    done
+}