# Connect your Remote IDE to SageMaker spaces with remote access Remote access You can remotely connect from your Remote IDE to Amazon SageMaker Studio spaces. You can use your customized local IDE setup, including AI-assisted development tools and custom extensions, with the scalable compute resources in Amazon SageMaker AI. This guide provides concepts and setup instructions for administrators and users. A Remote IDE connection establishes a secure connection between your local IDE and SageMaker spaces. This connection lets you: + **Access SageMaker AI compute resources** — Run code on scalable SageMaker AI infrastructure from your local environment + **Maintain security boundaries** — Work within the same security framework as SageMaker AI + **Keep your familiar IDE experience** — Use compatible local extensions, themes, and configurations that support remote development **Note** Not all IDE extensions are compatible with remote development. Extensions that require local GUI components, have architecture dependencies, or need specific client-server interactions may not work properly in the remote environment. Verify that your required extensions support remote development before use. **Topics** + [ ## Key concepts ](#remote-access-key-concepts) + [ ## Connection methods ](#remote-access-connection-methods) + [ ## Supported IDEs ](#remote-access-supported-ides) + [ ## IDE version requirements ](#remote-access-ide-version-requirements) + [ ## Operating system requirements ](#remote-access-os-requirements) + [ ## Local machine prerequisites ](#remote-access-local-prerequisites) + [ ## Image requirements ](#remote-access-image-requirements) + [ ## Instance requirements ](#remote-access-instance-requirements) + [ # Set up remote access ](remote-access-remote-setup.md) + [ # Set up Remote IDE ](remote-access-local-ide-setup.md) + [ # Supported Amazon Regions ](remote-access-supported-regions.md) ## Key concepts + **Remote connection** — A secure tunnel between your Remote IDE and a SageMaker space. This connection enables interactive development and code execution using SageMaker AI compute resources. + [https://docs.amazonaws.cn/sagemaker/latest/dg/studio-updated-spaces.html](https://docs.amazonaws.cn/sagemaker/latest/dg/studio-updated-spaces.html) — A dedicated environment within Amazon SageMaker Studio where you can manage your storage and resources for your Studio applications. + **Deep link** — A button (direct URL) from the SageMaker UI that initiates a remote connection to your local IDE. ## Connection methods There are three main ways to connect your Remote IDE to SageMaker spaces: + **Deep link access** — You can connect directly to a specific space by using the **Open space with** button available in SageMaker AI. This uses URL patterns to establish a remote connection and open your SageMaker space in your Remote IDE. + [https://docs.amazonaws.cn/toolkit-for-vscode/latest/userguide/welcome.html](https://docs.amazonaws.cn/toolkit-for-vscode/latest/userguide/welcome.html) — You can authenticate with Amazon Toolkit for Visual Studio Code. This allows you to connect to spaces and open a remotely connected window from your Remote IDE. + **SSH terminal connection** — You can connect via command line using SSH configuration. ## Supported IDEs Remote connection to Studio spaces supports: + [Visual Studio Code](https://code.visualstudio.com/) + [Kiro](https://kiro.dev/) + [Cursor](https://cursor.com/home) ## IDE version requirements The following table lists the minimum version requirements for each supported Remote IDE. | IDE | Minimum version | | --- | --- | | Visual Studio Code | [v1.90](https://code.visualstudio.com/updates/v1_90) or greater. We recommend using the [latest stable version](https://code.visualstudio.com/updates). | | Kiro | v0.10.78 or greater | | Cursor | v2.6.18 or greater | The Amazon Toolkit extension is required to connect your Remote IDE to Studio spaces. For Kiro and Cursor, Amazon Toolkit extension version v3.100 or greater is required. ## Operating system requirements You need one of the following operating systems to remotely connect to Studio spaces: + macOS 13\$1 + Windows 10 + [Windows 10 support ends on October 14, 2025](https://support.microsoft.com/en-us/windows/windows-10-support-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281) + Windows 11 + Linux + For VS Code, install the official [Microsoft VS Code for Linux](https://code.visualstudio.com/docs/setup/linux), not an open-source version ## Local machine prerequisites Before connecting your Remote IDE to Studio spaces, ensure your local machine has the required dependencies and network access. **Important** Environments with software installation restrictions may prevent users from installing required dependencies. The Amazon Toolkit for Visual Studio Code automatically searches for these dependencies when initiating remote connections and will prompt for installation if any are missing. Coordinate with your IT department to ensure these components are available. **Required local dependencies** Your local machine must have the following components installed: + **[Remote-SSH Extension](https://code.visualstudio.com/docs/remote/ssh)** — Remote development extension for your IDE (available in the extension marketplace for VS Code, Kiro, and Cursor) + **[Session Manager plugin](https://docs.amazonaws.cn/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)** — Required for secure session management + **SSH Client** — Standard component on most machines ([OpenSSH recommended for Windows](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse)) + **IDE CLI Command** — Typically included with IDE installation (for example, `code` for VS Code, `kiro` for Kiro, `cursor` for Cursor) **Platform-specific requirements** + **Windows users** — PowerShell 5.1 or later is required for SSH terminal connections **Network connectivity requirements** Your local machine must have network access to [Session Manager endpoints](https://docs.amazonaws.cn/general/latest/gr/ssm.html). For example, in US East (N. Virginia) (us-east-1) these can be: + ssm.us-east-1.amazonaws.com + ssm.us-east-1.api.aws + ssmmessages.us-east-1.amazonaws.com + ec2messages.us-east-1.amazonaws.com ## Image requirements **SageMaker Distribution images** When using SageMaker Distribution with remote access, use [SageMaker Distribution](https://docs.amazonaws.cn/sagemaker/latest/dg/sagemaker-distribution.html) version 2.7 or later. **Custom images** When you [Bring your own image (BYOI)](studio-updated-byoi.md) with remote access, ensure that you follow the [custom image specifications](https://docs.amazonaws.cn/sagemaker/latest/dg/studio-updated-byoi-specs.html) and ensure the following dependencies are installed: + `curl` or `wget` — Required for downloading Amazon CLI components + `unzip` — Required for extracting Amazon CLI installation files + `tar` — Required for archive extraction + `gzip` — Required for compressed file handling ## Instance requirements + **Memory** — 8GB or more + **Instance types** — Use instances with at least 8GB of memory. The following instance types are *not* supported due to insufficient memory (less than 8GB): `ml.t3.medium`, `ml.c7i.large`, `ml.c6i.large`, `ml.c6id.large`, and `ml.c5.large`. For a more complete list of instance types, see the [Amazon EC2 On-Demand Pricing page](https://aws.amazon.com/ec2/pricing/on-demand/). **Topics** + [ ## Key concepts ](#remote-access-key-concepts) + [ ## Connection methods ](#remote-access-connection-methods) + [ ## Supported IDEs ](#remote-access-supported-ides) + [ ## IDE version requirements ](#remote-access-ide-version-requirements) + [ ## Operating system requirements ](#remote-access-os-requirements) + [ ## Local machine prerequisites ](#remote-access-local-prerequisites) + [ ## Image requirements ](#remote-access-image-requirements) + [ ## Instance requirements ](#remote-access-instance-requirements) + [ # Set up remote access ](remote-access-remote-setup.md) + [ # Set up Remote IDE ](remote-access-local-ide-setup.md) + [ # Supported Amazon Regions ](remote-access-supported-regions.md) # Set up remote access Before users can connect their Remote IDE to Studio spaces, the administrator must configure permissions. This section provides instructions for administrators on how to set up their Amazon SageMaker AI domain with remote access. Different connection methods require different IAM permissions. Configure the appropriate permissions based on how your users will connect. Use the following workflow along with the permissions aligned with the connection method. **Important** Currently remote IDE connections are authenticated using IAM credentials, not IAM Identity Center. This applies for domains that use the IAM Identity Center [authentication method](https://docs.amazonaws.cn/sagemaker/latest/dg/onboard-custom.html#onboard-custom-authentication-details) for your users to access the domain. If you prefer not to use IAM authentication for remote connections, you can opt-out by disabling this feature using the `RemoteAccess` conditional key in your IAM policies. For more information, see [Remote access enforcement](remote-access-remote-setup-abac.md#remote-access-remote-setup-abac-remote-access-enforcement). When using IAM credentials, Remote IDE connections may maintain active sessions even after you log out of your IAM Identity Center session. Sometimes, these Remote IDE connections can persist for up to 12 hours. To ensure the security of your environment, administrators must review session duration settings where possible and be cautious when using shared workstations or public networks. 1. Choose one of the following connection method permissions that align with your users’ [Connection methods](remote-access.md#remote-access-connection-methods). 1. [Create a custom IAM policy](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html) based on the connection method permission. **Topics** + [ ## Step 1: Configure security and permissions ](#remote-access-remote-setup-permissions) + [ ## Step 2: Enable remote access for your space ](#remote-access-remote-setup-enable) + [ # Advanced access control ](remote-access-remote-setup-abac.md) + [ # Set up Studio to run with subnets without internet access within a VPC ](remote-access-remote-setup-vpc-subnets-without-internet-access.md) + [ # Set up automated Studio space filtering when using the Amazon Toolkit ](remote-access-remote-setup-filter.md) ## Step 1: Configure security and permissions **Topics** + [ ### Method 1: Deep link permissions ](#remote-access-remote-setup-method-1-deep-link-permissions) + [ ### Method 2: Amazon Toolkit permissions ](#remote-access-remote-setup-method-2-aws-toolkit-permissions) + [ ### Method 3: SSH terminal permissions ](#remote-access-remote-setup-method-3-ssh-terminal-permissions) **Important** Using broad permissions for `sagemaker:StartSession`, especially with a wildcard resource `*` creates the risk that any user with this permission can initiate a session against any SageMaker Space app in the account. This can lead to the impact of data scientists unintentionally accessing other users’ SageMaker Spaces. For production environments, you should scope down these permissions to specific space ARNs to enforce the principle of least privilege. See [Advanced access control](remote-access-remote-setup-abac.md) for examples of more granular permission policies using resource ARNs, tags, and network-based constraints. ### Method 1: Deep link permissions For users connecting via deep links from the SageMaker UI, use the following permission and attach it to your SageMaker AI [space execution role](https://docs.amazonaws.cn/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-get-execution-role-space) or [domain execution role](https://docs.amazonaws.cn/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-get-execution-role). If the space execution role is not configured, the domain execution role is used by default. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "RestrictStartSessionOnSpacesToUserProfile", "Effect": "Allow", "Action": [ "sagemaker:StartSession" ], "Resource": "arn:*:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:ResourceTag/sagemaker:user-profile-arn": "arn:aws-cn:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" } } } ] } ``` ------ ### Method 2: Amazon Toolkit permissions For users connecting through the Amazon Toolkit for Visual Studio Code extension, attach the following policy to one of the following: + For IAM authentication, attach this policy to the IAM user or role + For IdC authentication, attach this policy to the [Permission sets](https://docs.amazonaws.cn/singlesignon/latest/userguide/permissionsetsconcept.html) managed by the IdC To show only spaces relevant to the authenticated user, see [Filtering overview](remote-access-remote-setup-filter.md#remote-access-remote-setup-filter-overview). **Important** The following policy using `*` as the resource constraint is only recommended for quick testing purposes. For production environments, you should scope down these permissions to specific space ARNs to enforce the principle of least privilege. See [Advanced access control](remote-access-remote-setup-abac.md) for examples of more granular permission policies using resource ARNs, tags, and network-based constraints. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:ListSpaces", "sagemaker:DescribeSpace", "sagemaker:ListApps", "sagemaker:DescribeApp", "sagemaker:DescribeDomain", "sagemaker:UpdateSpace", "sagemaker:CreateApp", "sagemaker:DeleteApp", "sagemaker:AddTags" ], "Resource": "*" }, { "Sid": "AllowStartSessionOnSpaces", "Effect": "Allow", "Action": "sagemaker:StartSession", "Resource": [ "arn:aws-cn:sagemaker:us-east-1:111122223333:space/domain-id/space-name-1", "arn:aws-cn:sagemaker:us-east-1:111122223333:space/domain-id/space-name-2" ] } ] } ``` ------ ### Method 3: SSH terminal permissions For SSH terminal connections, the `StartSession` API is called by the SSH proxy command script below, using the local Amazon credentials. See [Configure the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/cli-chap-configure.html) for information and instructions on setting up the user's local Amazon credentials. To use these permissions: 1. Attach this policy to the IAM user or role associated with the local Amazon credentials. 1. If using a named credential profile, modify the proxy command in your SSH config: ``` ProxyCommand '/home/user/sagemaker_connect.sh' '%h' YOUR_CREDENTIAL_PROFILE_NAME ``` **Note** The policy needs to be attached to the IAM identity (user/role) used in your local Amazon credentials configuration, not to the Amazon SageMaker AI domain execution role. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowStartSessionOnSpecificSpaces", "Effect": "Allow", "Action": "sagemaker:StartSession", "Resource": [ "arn:aws-cn:sagemaker:us-east-1:111122223333:space/domain-id/space-name-1", "arn:aws-cn:sagemaker:us-east-1:111122223333:space/domain-id/space-name-2" ] } ] } ``` ------ After setup, users can run `ssh my_studio_space_abc` to start up the space. For more information, see [Method 3: Connect from the terminal via SSH CLI](remote-access-local-ide-setup.md#remote-access-local-ide-setup-local-vs-code-method-3-connect-from-the-terminal-via-ssh-cli). ## Step 2: Enable remote access for your space After you set up the permissions, you must toggle on **Remote Access** and start your space in Studio before the user can connect using their Remote IDE. This setup only needs to be done once. **Note** If your users are connecting using [Method 2: Amazon Toolkit permissions](#remote-access-remote-setup-method-2-aws-toolkit-permissions), you do not necessarily need this step. Amazon Toolkit for Visual Studio users can enable remote access from the Toolkit. **Activate remote access for your Studio space** 1. [Launch Amazon SageMaker Studio](https://docs.amazonaws.cn/sagemaker/latest/dg/studio-updated-launch.html#studio-updated-launch-console). 1. Open the Studio UI. 1. Navigate to your space. 1. In the space details, toggle on **Remote Access**. 1. Choose **Run space**. # Advanced access control Amazon SageMaker AI supports [attribute-based access control (ABAC)](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) to achieve fine-grained access control for Remote IDE connections using ABAC policies. The following are example ABAC policies for Remote IDE connections. **Topics** + [ ## Remote access enforcement ](#remote-access-remote-setup-abac-remote-access-enforcement) + [ ## Tag-based access control ](#remote-access-remote-setup-abac-tag-based-access-control) ## Remote access enforcement Control access to resources using the `sagemaker:RemoteAccess` condition key. This is supported by both `CreateSpace` and `UpdateSpace` APIs. The following example uses `CreateSpace`. You can ensure that users cannot create spaces with remote access enabled. This helps maintain security by defaulting to more restricted access settings. The following policy ensures users can: + Create new Studio spaces where remote access is explicitly disabled + Create new Studio spaces without specifying any remote access settings ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyCreateSpaceRemoteAccessEnabled", "Effect": "Deny", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace" ], "Resource": "arn:aws-cn:sagemaker:*:*:space/*", "Condition": { "StringEquals": { "sagemaker:RemoteAccess": [ "ENABLED" ] } } }, { "Sid": "AllowCreateSpace", "Effect": "Allow", "Action": [ "sagemaker:CreateSpace", "sagemaker:UpdateSpace" ], "Resource": "arn:aws-cn:sagemaker:*:*:space/*" } ] } ``` ------ ## Tag-based access control Implement [tag-based](https://docs.amazonaws.cn/whitepapers/latest/tagging-best-practices/what-are-tags.html) access control to restrict connections based on resource and principal tags. You can ensure users can only access resources appropriate for their role and project assignments. You can use the following policy to: + Allow users to connect only to spaces that match their assigned team, environment, and cost center + Implement fine-grained access control based on organizational structure In the following example, the space is tagged with the following: ``` { "Team": "ML", "Environment": "Production", "CostCenter": "12345" } ``` You can have a role that contains the following policy to match resource and principal tags: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "RestrictStartSessionOnTaggedSpacesInDomain", "Effect": "Allow", "Action": [ "sagemaker:StartSession" ], "Resource": [ "arn:aws-cn:sagemaker:us-east-1:111122223333:space/domain-id/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/Team": "${aws:PrincipalTag/Team}", "aws:ResourceTag/Environment": "${aws:PrincipalTag/Environment}", "aws:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}", "aws:ResourceTag/IDC_UserName": "${aws:PrincipalTag/IDC_UserName}" } } } ] } ``` ------ When the role’s tags match, the user has permission to start the session and remotely connect to their space. See [Control access to Amazon resources using tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_tags.html) for more information. # Set up Studio to run with subnets without internet access within a VPC Set up private subnet with no internet access This guide shows you how to connect to Amazon SageMaker Studio spaces from your Remote IDE when your Amazon SageMaker AI domain runs in private subnets without internet access. You’ll learn about connectivity requirements and setup options to establish secure remote connections in isolated network environments. You can configure Amazon SageMaker Studio to run in VPC only mode with subnets without internet access. This setup enhances security for your machine learning workloads by operating in an isolated network environment where all traffic flows through the VPC. To enable external communications while maintaining security, use VPC endpoints for Amazon services and configure VPC PrivateLink for required Amazon dependencies. **IDE support for private subnet connections** The following table shows the supported connection methods for each Remote IDE when connecting to Studio spaces in private subnets without internet access. | Connection method | VS Code | Kiro | Cursor | | --- | --- | --- | --- | | HTTP Proxy support | Supported | Supported | Not supported | | Pre-packaged remote server and extensions | Supported | Not supported | Not supported | **Important** Cursor is not supported for connecting to Studio spaces in private subnets without outbound internet access. **Topics** + [ ## Studio remote access network requirements ](#remote-access-remote-setup-vpc-subnets-without-internet-access-network-requirements) + [ ## Setup Studio remote access network ](#remote-access-remote-setup-vpc-subnets-without-internet-access-setup) ## Studio remote access network requirements **VPC mode limitations** Studio in VPC mode only supports private subnets. Studio cannot work with subnets directly attached with an Internet Gateway (IGW). Remote IDE connections share the same limitations as SageMaker AI. For more information, see [Connect Studio notebooks in a VPC to external resources](https://docs.amazonaws.cn/sagemaker/latest/dg/studio-notebooks-and-internet-access.html). ### VPC PrivateLink requirements When SageMaker AI runs in private subnets, configure these SSM VPC endpoints in addition to standard VPC endpoints required for SageMaker. For more information, see [Connect Studio Through a VPC Endpoint](https://docs.amazonaws.cn/sagemaker/latest/dg/studio-interface-endpoint.html). + `com.amazonaws.REGION.ssm` + `com.amazonaws.REGION.ssmmessages` **VPC endpoint policy recommendations** The following are the recommended VPC endpoint policies that allow the necessary actions for remote access while using the `aws:PrincipalIsAWSService` condition to ensure only Amazon services like Amazon SageMaker AI can make the calls. For more information about the `aws:PrincipalIsAWSService` condition key, see [the documentation](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalisawsservice). **SSM endpoint policy** Use the following policy for the `com.amazonaws.REGION.ssm` endpoint: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "ssm:CreateActivation", "ssm:RegisterManagedInstance", "ssm:DeleteActivation", "ssm:DeregisterManagedInstance", "ssm:AddTagsToResource", "ssm:UpdateInstanceInformation", "ssm:UpdateInstanceAssociationStatus", "ssm:DescribeInstanceInformation", "ssm:ListInstanceAssociations", "ssm:ListAssociations", "ssm:GetDocument", "ssm:PutInventory" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:PrincipalIsAWSService": "true" } } } ] } ``` **SSM Messages endpoint policy** Use the following policy for the `com.amazonaws.REGION.ssmmessages` endpoint: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:PrincipalIsAWSService": "true" } } } ] } ``` **VS Code specific network requirements** Remote VS Code connection requires VS Code remote development, which needs specific network access to install the remote server and extensions. See the [remote development FAQ](https://code.visualstudio.com/docs/remote/faq) in the Visual Studio Code documentation for full network requirements. The following is a summary of the requirements: + Access to Microsoft’s VS Code server endpoints is needed to install and update the VS Code remote server. + Access to Visual Studio Marketplace and related CDN endpoints is required for installing VS Code extensions through the extension panel (alternatively, extensions can be installed manually using VSIX files without internet connection). + Some extensions may require access to additional endpoints for downloading their specific dependencies. See the extension’s documentation for their specific connectivity requirements. **Kiro specific network requirements** Remote Kiro connection requires Kiro remote development, which needs specific network access to install the remote server and extensions. For firewall and proxy server configuration, see [Kiro firewall configuration](https://kiro.dev/docs/privacy-and-security/firewalls/). The requirements are similar to VS Code: + Access to Kiro server endpoints is needed to install and update the Kiro remote server. + Access to extension marketplace and related CDN endpoints is required for installing Kiro extensions through the extension panel. + Some extensions may require access to additional endpoints for downloading their specific dependencies. See the extension’s documentation for their specific connectivity requirements. ## Setup Studio remote access network You have the following options to connect your Remote IDE to Studio spaces in private subnets: + HTTP Proxy (supported for VS Code and Kiro) + Pre-packaged remote server and extensions (VS Code only) ### Set up HTTP Proxy with controlled allow-listing When your Studio space is behind a firewall or proxy, allow access to your IDE server and extension-related CDNs and endpoints. 1. Set up a public subnet to run the HTTP proxy (such as Squid), where you can configure which websites to allow. Ensure that the HTTP proxy is accessible by SageMaker spaces. 1. The public subnet can be in the same VPC used by the Studio or in separate VPC peered with all the VPCs used by Amazon SageMaker AI domains. ### Set up Pre-packaged remote server and extensions (VS Code only) **Note** This option is only available for Visual Studio Code. Kiro and Cursor do not support pre-packaged remote server setup. When your Studio spaces can’t access external endpoints to download VS Code remote server and extensions, you can pre-package them. With this approach, you export a tarball containing the `.VS Code-server` directory for a specific version of VS Code. Then, you use a SageMaker AI Lifecycle Configuration (LCC) script to copy and extract the tarball into the home directory (`/home/sagemaker-user`) of the Studio spaces. This LCC-based solution works with both Amazon-provided and custom images. Even when you’re not using private subnets, this approach accelerates the setup of the VS Code remote server and pre-installed extensions. **Instructions for pre-packaging your VS Code remote server and extensions** 1. Install VS Code on your local machine. 1. Launch a Linux-based (x64) Docker container with SSH enabled, either locally or via a Studio space with internet access. We recommend using a temporary Studio space with remote access and internet enabled for simplicity. 1. Connect your installed VS Code to the local Docker container via Remote SSH or connect to the Studio space via the Studio remote VS Code feature. VS Code installs the remote server into `.VS Code-server` in the home directory in the remote container during connection. See [Example Dockerfile usage for pre-packaging your VS Code remote server and extensions](remote-access-local-ide-setup-vpc-no-internet.md#remote-access-local-ide-setup-vpc-no-internet-pre-packaged-vs-code-remote-server-and-extensions-example-dockerfile) for more information. 1. After connecting remotely, ensure you use the VS Code Default profile. 1. Install the required VS Code extensions and validate their functionality. For example, create and run a notebook to install Jupyter notebook-related extensions in the VS Code remote server. Ensure you [install the Amazon Toolkit for Visual Studio Code extension](https://docs.amazonaws.cn/toolkit-for-visual-studio/latest/user-guide/setup.html) after connecting to the remote container. 1. Archive the `$HOME/.VS Code-server` directory (for example, `VS Code-server-with-extensions-for-1.100.2.tar.gz`) in either the local Docker container or in the terminal of the remotely connected Studio space. 1. Upload the tarball to Amazon S3. 1. Create an [LCC script](https://docs.amazonaws.cn/sagemaker/latest/dg/studio-lifecycle-configurations.html) ([Example LCC script (LCC-install-VS Code-server-v1.100.2)](remote-access-local-ide-setup-vpc-no-internet.md#remote-access-local-ide-setup-vpc-no-internet-pre-packaged-vs-code-remote-server-and-extensions-example-lcc)) that: + Downloads the specific archive from Amazon S3. + Extracts it into the home directory when a Studio space in a private subnet launches. 1. (Optional) Extend the LCC script to support per-user VS Code server tarballs stored in user-specific Amazon S3 folders. 1. (Optional) Maintain version-specific LCC scripts ([Example LCC script (LCC-install-VS Code-server-v1.100.2)](remote-access-local-ide-setup-vpc-no-internet.md#remote-access-local-ide-setup-vpc-no-internet-pre-packaged-vs-code-remote-server-and-extensions-example-lcc)) that you can attach to your spaces, ensuring compatibility between your local VS Code client and the remote server. # Set up automated Studio space filtering when using the Amazon Toolkit Set up auto space filtering Users can filter spaces in the Amazon Toolkit for Visual Studio Code explorer to display only relevant spaces. This section provides information on filtering and how to set up automated filtering. This setup only applies when using the [Method 2: Amazon Toolkit in the Remote IDE](remote-access-local-ide-setup.md#remote-access-local-ide-setup-local-vs-code-method-2-aws-toolkit-in-vs-code) method to connect from your Remote IDE to Amazon SageMaker Studio spaces. See [Set up remote access](remote-access-remote-setup.md) for more information. **Topics** + [ ## Filtering overview ](#remote-access-remote-setup-filter-overview) + [ ## Set up when connecting with IAM credentials ](#remote-access-remote-setup-filter-set-up-iam-credentials) ## Filtering overview **Manual filtering** allows users to manually select which user profiles to display spaces for through the Amazon Toolkit interface. This method works for all authentication types and takes precedence over automated filtering. To manually filter, see [Manual filtering](remote-access-local-ide-setup-filter.md#remote-access-local-ide-setup-filter-manual). **Automated filtering** automatically shows only spaces relevant to the authenticated user. This filtering behavior depends on the authentication method during sign-in. See [connecting to Amazon from the Toolkit](https://docs.amazonaws.cn/toolkit-for-vscode/latest/userguide/connect.html#connect-to-aws) in the Toolkit for VS Code User Guide for more information. The following lists the sign-in options. + **Authenticate and connect with SSO**: Automated filtering works by default. + **Authenticate and connect with IAM credentials**: Automated filtering **requires administrator setup** for the following IAM credentials. Without this setup, Amazon Toolkit cannot identify which spaces belong to the user, so all spaces are shown by default. + **Using IAM user credentials** + **Using assumed IAM role session credentials** ## Set up when connecting with IAM credentials **When using IAM user credentials** Toolkit for VS Code can match spaces belonging to user profiles that start with the authenticated IAM user name or assumed role session name. To set this up: **Note** Administrators must configure Studio user profile names to follow this naming convention for automated filtering to work correctly. + Administrators must ensure Studio user profile names follow the naming convention: + For IAM users: prefix with `IAM-user-name-` + For assumed roles: prefix with `assumed-role-session-name-` + `aws sts get-caller-identity` returns the identity information used for matching + Spaces belonging to the matched user profiles will be automatically filtered in the Toolkit for VS Code **When using assumed IAM role session credentials** In addition to the setup when using IAM user credentials above, you will need to ensure session ARNs include user identifiers as prefixes that match. You can configure trust policies that ensure session ARNs include user identifiers as prefixes. [Create a trust policy](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html) and attach it to the assumed role used for authentication. This setup is not required for direct IAM user credentials or IdC authentication. **Set up trust policy for IAM role session credentials example** Create a trust policy that enforces role sessions to include the IAM user name. The following is an example policy: ``` { "Statement": [ { "Sid": "RoleTrustPolicyRequireUsernameForSessionName", "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": {"AWS": "arn:aws:iam::ACCOUNT:root"}, "Condition": { "StringLike": {"sts:RoleSessionName": "${aws:username}"} } } ] } ``` # Set up Remote IDE After administrators complete the instructions in [Connect your Remote IDE to SageMaker spaces with remote access](remote-access.md), you can connect your Remote IDE to your remote SageMaker spaces. **Topics** + [ ## Set up your local environment ](#remote-access-local-ide-setup-local-environment) + [ ## Connect to your Remote IDE ](#remote-access-local-ide-setup-local-vs-code) + [ # Connect to VPC with subnets without internet access ](remote-access-local-ide-setup-vpc-no-internet.md) + [ # Filter your Studio spaces ](remote-access-local-ide-setup-filter.md) ## Set up your local environment Install your preferred Remote IDE on your local machine: + [Visual Studio Code](https://code.visualstudio.com/) + [Kiro](https://kiro.dev/) + [Cursor](https://cursor.com/home) For information on the version requirements, see [IDE version requirements](remote-access.md#remote-access-ide-version-requirements). ## Connect to your Remote IDE Before you can establish a connection from your Remote IDE to your remote SageMaker spaces, your administrator must [Set up remote access](remote-access-remote-setup.md). Your administrator sets up a specific method for you to establish a connection. Choose the method that was set up for you. **Topics** + [ ### Method 1: Deep link from Studio UI ](#remote-access-local-ide-setup-local-vs-code-method-1-deep-link-from-studio-ui) + [ ### Method 2: Amazon Toolkit in the Remote IDE ](#remote-access-local-ide-setup-local-vs-code-method-2-aws-toolkit-in-vs-code) + [ ### Method 3: Connect from the terminal via SSH CLI ](#remote-access-local-ide-setup-local-vs-code-method-3-connect-from-the-terminal-via-ssh-cli) ### Method 1: Deep link from Studio UI Use the following procedure to establish a connection using deep link. 1. [Launch Amazon SageMaker Studio](https://docs.amazonaws.cn/sagemaker/latest/dg/studio-updated-launch.html#studio-updated-launch-console). 1. In the Studio UI, navigate to your space. 1. Choose **Open in VS Code**, **Open in Kiro**, or **Open in Cursor** button for your preferred IDE. Ensure that your preferred IDE is already installed on your local computer. 1. When prompted, confirm to open your IDE. Your IDE opens with another pop-up to confirm. Once completed, the remote connection is established. ### Method 2: Amazon Toolkit in the Remote IDE Use the following procedure to establish a connection using the Amazon Toolkit for Visual Studio Code. This method is available for VS Code, Kiro, and Cursor. 1. Open your Remote IDE (VS Code, Kiro, or Cursor). 1. Open the Amazon Toolkit extension. 1. [Connect to Amazon](https://docs.amazonaws.cn/toolkit-for-vscode/latest/userguide/connect.html). 1. In the Amazon Explorer, expand **SageMaker AI**, then expand **Studio**. 1. Find your Studio space. 1. Choose the **Connect** icon next to your space to start it. **Note** Stop and restart the space in the Toolkit for Visual Studio to enable remote access, if not already connected. If the space is not using a supported [instance size](https://docs.amazonaws.cn/sagemaker/latest/dg/remote-access.html#remote-access-instance-requirements), you will be asked to change the instance. ### Method 3: Connect from the terminal via SSH CLI Choose one of the following platform options to view the procedure to establish a connection using the SSH CLI. **Note** Ensure that you have the latest versions of the [Local machine prerequisites](remote-access.md#remote-access-local-prerequisites) installed before following the instructions below. If you [Bring your own image (BYOI)](studio-updated-byoi.md), ensure you have installed the required dependencies listed in [Image requirements](remote-access.md#remote-access-image-requirements) before proceeding ------ #### [ Linux/macOS ] Create a shell script (for example, `/home/user/sagemaker_connect.sh`): ``` #!/bin/bash # Disable the -x option if printing each command is not needed. set -exuo pipefail SPACE_ARN="$1" AWS_PROFILE="${2:-}" # Validate ARN and extract region if [[ "$SPACE_ARN" =~ ^arn:aws[-a-z]*:sagemaker:([a-z0-9-]+):[0-9]{12}:space\/[^\/]+\/[^\/]+$ ]]; then AWS_REGION="${BASH_REMATCH[1]}" else echo "Error: Invalid SageMaker Studio Space ARN format." exit 1 fi # Optional profile flag PROFILE_ARG=() if [[ -n "$AWS_PROFILE" ]]; then PROFILE_ARG=(--profile "$AWS_PROFILE") fi # Start session START_SESSION_JSON=$(aws sagemaker start-session \ --resource-identifier "$SPACE_ARN" \ --region "${AWS_REGION}" \ "${PROFILE_ARG[@]}") # Extract fields using grep and sed SESSION_ID=$(echo "$START_SESSION_JSON" | grep -o '"SessionId": "[^"]*"' | sed 's/.*: "//;s/"$//') STREAM_URL=$(echo "$START_SESSION_JSON" | grep -o '"StreamUrl": "[^"]*"' | sed 's/.*: "//;s/"$//') TOKEN=$(echo "$START_SESSION_JSON" | grep -o '"TokenValue": "[^"]*"' | sed 's/.*: "//;s/"$//') # Validate extracted values if [[ -z "$SESSION_ID" || -z "$STREAM_URL" || -z "$TOKEN" ]]; then echo "Error: Failed to extract session information from sagemaker start session response." exit 1 fi # Call session-manager-plugin session-manager-plugin \ "{\"streamUrl\":\"$STREAM_URL\",\"tokenValue\":\"$TOKEN\",\"sessionId\":\"$SESSION_ID\"}" \ "$AWS_REGION" "StartSession" ``` 1. Make the script executable: ``` chmod +x /home/user/sagemaker_connect.sh ``` 1. Configure `$HOME/.ssh/config` to add the following entry: ``` Host space-name HostName 'arn:PARTITION:sagemaker:us-east-1:111122223333:space/domain-id/space-name' ProxyCommand '/home/user/sagemaker_connect.sh' '%h' ForwardAgent yes AddKeysToAgent yes StrictHostKeyChecking accept-new ``` For example, the `PARTITION` can be `aws`. If you need to use a [named Amazon credential profile](https://docs.amazonaws.cn/cli/v1/userguide/cli-configure-files.html#cli-configure-files-using-profiles), change the proxy command as follows: ``` ProxyCommand '/home/user/sagemaker_connect.sh' '%h' YOUR_CREDENTIAL_PROFILE_NAME ``` + Connect via SSH or run SCP command: ``` ssh space-name scp file_abc space-name:/tmp/ ``` ------ #### [ Windows ] **Prerequisites for Windows:** + PowerShell 5.1 or later + SSH client (OpenSSH recommended) Create a PowerShell script (for example, `C:\Users\user-name\sagemaker_connect.ps1`): ``` # sagemaker_connect.ps1 param( [Parameter(Mandatory=$true)] [string]$SpaceArn, [Parameter(Mandatory=$false)] [string]$AwsProfile = "" ) # Enable error handling $ErrorActionPreference = "Stop" # Validate ARN and extract region if ($SpaceArn -match "^arn:aws[-a-z]*:sagemaker:([a-z0-9-]+):[0-9]{12}:space\/[^\/]+\/[^\/]+$") { $AwsRegion = $Matches[1] } else { Write-Error "Error: Invalid SageMaker Studio Space ARN format." exit 1 } # Build Amazon CLI command $awsCommand = @("sagemaker", "start-session", "--resource-identifier", $SpaceArn, "--region", $AwsRegion) if ($AwsProfile) { $awsCommand += @("--profile", $AwsProfile) } try { # Start session and capture output Write-Host "Starting SageMaker session..." -ForegroundColor Green $startSessionOutput = & aws @awsCommand # Try to parse JSON response try { $sessionData = $startSessionOutput | ConvertFrom-Json } catch { Write-Error "Failed to parse JSON response: $_" Write-Host "Raw response was:" -ForegroundColor Yellow Write-Host $startSessionOutput exit 1 } $sessionId = $sessionData.SessionId $streamUrl = $sessionData.StreamUrl $token = $sessionData.TokenValue # Validate extracted values if (-not $sessionId -or -not $streamUrl -or -not $token) { Write-Error "Error: Failed to extract session information from sagemaker start session response." Write-Host "Parsed response was:" -ForegroundColor Yellow Write-Host ($sessionData | ConvertTo-Json) exit 1 } Write-Host "Session started successfully. Connecting..." -ForegroundColor Green # Create session manager plugin command $sessionJson = @{ streamUrl = $streamUrl tokenValue = $token sessionId = $sessionId } | ConvertTo-Json -Compress # Escape the JSON string $escapedJson = $sessionJson -replace '"', '\"' # Call session-manager-plugin & session-manager-plugin "$escapedJson" $AwsRegion "StartSession" } catch { Write-Error "Failed to start session: $_" exit 1 } ``` + Configure `C:\Users\user-name\.ssh\config` to add the following entry: ``` Host space-name HostName "arn:aws:sagemaker:us-east-1:111122223333:space/domain-id/space-name" ProxyCommand "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File "C:\\Users\\user-name\\sagemaker_connect.ps1" "%h" ForwardAgent yes AddKeysToAgent yes User sagemaker-user StrictHostKeyChecking accept-new ``` ------ # Connect to VPC with subnets without internet access Connect to private subnet with no internet access Before connecting your Remote IDE to Studio spaces in private subnets without internet access, ensure your administrator has [Set up Studio to run with subnets without internet access within a VPC](remote-access-remote-setup-vpc-subnets-without-internet-access.md). You have the following options to connect your Remote IDE to Studio spaces in private subnets: + Set up HTTP Proxy (supported for VS Code and Kiro) + Pre-packaged remote server and extensions (VS Code only) **Important** Cursor is not supported for connecting to Studio spaces in private subnets without outbound internet access. **Topics** + [ ## HTTP Proxy with controlled allow-listing ](#remote-access-local-ide-setup-vpc-no-internet-http-proxy-with-controlled-allow-listing) + [ ## Pre-packaged remote server and extensions (VS Code only) ](#remote-access-local-ide-setup-vpc-no-internet-pre-packaged-vs-code-remote-server-and-extensions) ## HTTP Proxy with controlled allow-listing When your Studio space is behind a firewall or proxy, ask your administrator to allow access to your IDE server and extension-related CDNs and endpoints. For more information, see [Set up HTTP Proxy with controlled allow-listing](remote-access-remote-setup-vpc-subnets-without-internet-access.md#remote-access-remote-setup-vpc-subnets-without-internet-access-setup-http-proxy-with-controlled-allow-listing). ------ #### [ VS Code ] Configure the HTTP proxy for VS Code remote development by providing the proxy URL with the `remote.SSH.httpProxy` or `remote.SSH.httpsProxy` setting. **Note** Consider enabling "Remote.SSH: Use Curl And Wget Configuration Files" to use the configuration from the remote environment’s `curlrc` and `wgetrc` files. This is so that the `curlrc` and `wgetrc` files, placed in their respective default locations in the SageMaker space, can be used for enabling certain cases. ------ #### [ Kiro ] Configure the HTTP proxy for Kiro remote development by setting the `aws.sagemaker.ssh.kiro.httpsProxy` setting to your HTTP or HTTPS proxy endpoint. If you use MCP (Model Context Protocol) servers in Kiro, you also need to add the proxy environment variables to your MCP server configuration: ``` "env": { "http_proxy": "${http_proxy}", "https_proxy": "${https_proxy}" } ``` ------ This option works when you are allowed to set up HTTP proxy and lets you install additional extensions flexibly, as some extensions require a public endpoint. ## Pre-packaged remote server and extensions (VS Code only) **Note** This option is only available for Visual Studio Code. Kiro and Cursor do not support pre-packaged remote server setup. When your Studio spaces can’t access external endpoints to download VS Code remote server and extensions, you can pre-package them. With this approach, your administrator can export a tarball containing the `.VS Code-server` directory for a specific version of VS Code. Then, the administrator uses a SageMaker AI Lifecycle Configuration (LCC) script to copy and extract the tarball into your home directory (`/home/sagemaker-user`). For more information, see [Set up Pre-packaged remote server and extensions (VS Code only)](remote-access-remote-setup-vpc-subnets-without-internet-access.md#remote-access-remote-setup-vpc-subnets-without-internet-access-setup-pre-packaged-vs-code-remote-server-and-extensions). **Instructions for using pre-packaging for your VS Code remote server and extensions** 1. Install VS Code on your local machine 1. When you connect to the SageMaker space: + Use the Default profile to ensure compatibility with pre-packaged extensions. Otherwise, you’ll need to install extensions using downloaded VSIX files after connecting to the Studio space. + Choose a VS Code version specific LCC script to attach to the space when you launch the space. ### Example Dockerfile usage for pre-packaging your VS Code remote server and extensions The following is a sample Dockerfile to launch a local container with SSH server pre-installed, if it is not possible to create a space with remote access and internet enabled. **Note** In this example the SSH server does not require authentication and is only used for exporting the VS Code remote server. The container should be built and run on an x64 architecture. ``` FROM amazonlinux:2023 # Install OpenSSH server and required tools RUN dnf install -y \ openssh-server \ shadow-utils \ passwd \ sudo \ tar \ gzip \ && dnf clean all # Create a user with no password RUN useradd -m -s /bin/bash sagemaker-user && \ passwd -d sagemaker-user # Add sagemaker-user to sudoers via wheel group RUN usermod -aG wheel sagemaker-user && \ echo 'sagemaker-user ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/sagemaker-user && \ chmod 440 /etc/sudoers.d/sagemaker-user # Configure SSH to allow empty passwords and password auth RUN sed -i 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords yes/' /etc/ssh/sshd_config && \ sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config # Generate SSH host keys RUN ssh-keygen -A # Expose SSH port EXPOSE 22 WORKDIR /home/sagemaker-user USER sagemaker-user # Start SSH server CMD ["bash"] ``` Use the following commands to build and run the container: ``` # Build the image docker build . -t remote_server_export # Run the container docker run --rm -it -d \ -v /tmp/remote_access/.VS Code-server:/home/sagemaker-user/.VS Code-server \ -p 2222:22 \ --name remote_server_export \ remote_server_export # change the permisson for the mounted folder docker exec -i remote_server_export \ bash -c 'sudo chown sagemaker-user:sagemaker-user ~/.VS Code-server' # start the ssh server in the container docker exec -i remote_server_export bash -c 'sudo /usr/sbin/sshd -D &' ``` Connect using the following command: ``` ssh sagemaker-user@localhost -p 2222 ``` Before this container can be connected, configure the following in the `.ssh/config` file. Afterwards you will be able to see the `remote_access_export` as a host name in the remote SSH side panel when connecting. For example: ``` Host remote_access_export HostName localhost User=sagemaker-user Port 2222 ForwardAgent yes ``` Archive `/tmp/remote_access/.VS Code-server` and follow the steps in Pre-packaged VS Code remote server and extensions to connect and install the extension. After unzipping, ensure that the `.VS Code-server` folder shows as the parent folder. ``` cd /tmp/remote_access/ sudo tar -czvf VS Code-server-with-extensions-for-1.100.2.tar.gz .VS Code-server ``` ### Example LCC script (LCC-install-VS Code-server-v1.100.2) The following is an example of how to install a specific version of VS Code remote server. ``` #!/bin/bash set -x remote_server_file=VS Code-server-with-extensions-for-1.100.2.tar.gz if [ ! -d "${HOME}/.VS Code-server" ]; then cd /tmp aws s3 cp s3://S3_BUCKET/remote_access/${remote_server_file} . tar -xzvf ${remote_server_file} mv .VS Code-server "${HOME}" rm ${remote_server_file} else echo "${HOME}/.VS Code-server already exists, skipping download and install." fi ``` # Filter your Studio spaces You can use filtering to display only the relevant Amazon SageMaker AI spaces in the Amazon Toolkit for Visual Studio Code explorer. The following provides information on manual filtering and automated filtering. For more information on the definitions of manual and automatic filtering, see [Filtering overview](remote-access-remote-setup-filter.md#remote-access-remote-setup-filter-overview). This setup only applies when using the [Method 2: Amazon Toolkit in the Remote IDE](remote-access-local-ide-setup.md#remote-access-local-ide-setup-local-vs-code-method-2-aws-toolkit-in-vs-code) method to connect from your Remote IDE to Amazon SageMaker Studio spaces. See [Set up remote access](remote-access-remote-setup.md) for more information. **Topics** + [ ## Manual filtering ](#remote-access-local-ide-setup-filter-manual) + [ ## Automatic filtering setup when using IAM credentials to sign-in ](#remote-access-local-ide-setup-filter-automatic-IAM-credentials) ## Manual filtering To manually filter displayed spaces: + Open your Remote IDE and navigate to the Toolkit for VS Code side panel explorer + Find the **SageMaker AI** section + Choose the filter icon on the right of the SageMaker AI section header. This will open a dropdown menu. + In the dropdown menu, select the user profiles for which you want to display spaces ## Automatic filtering setup when using IAM credentials to sign-in Automated filtering depends on the authentication method during sign-in. See [Connecting to Amazon from the Toolkit](https://docs.amazonaws.cn/toolkit-for-vscode/latest/userguide/connect.html#connect-to-aws) in the Toolkit for VS Code User Guide for more information. When you authenticate and connect with **IAM Credentials**, automated filtering requires [Set up when connecting with IAM credentials](remote-access-remote-setup-filter.md#remote-access-remote-setup-filter-set-up-iam-credentials). Without this setup, if users opt-in for identity filtering, no spaces will be shown. Once the above is set up, Amazon Toolkit matches spaces belonging to user profiles that start with the authenticated IAM user name or assumed role session name. Automatic filtering is opt-in for users: + Open your Remote IDE settings + Navigate to the **Amazon Toolkit** extension + Find **Enable Identity Filtering** + Choose to enable automatic filtration of spaces based on your Amazon identity # Supported Amazon Regions The following table lists the Amazon Regions where Remote IDE connections to Studio spaces are supported, along with the IDEs available in each Region. | Amazon Region | VS Code | Kiro | Cursor | | --- | --- | --- | --- | | us-east-1 | Supported | Supported | Supported | | us-east-2 | Supported | Supported | Supported | | us-west-1 | Supported | Supported | Supported | | us-west-2 | Supported | Supported | Supported | | af-south-1 | Supported | Supported | Supported | | ap-east-1 | Supported | Supported | Supported | | ap-south-1 | Supported | Supported | Supported | | ap-northeast-1 | Supported | Supported | Supported | | ap-northeast-2 | Supported | Supported | Supported | | ap-northeast-3 | Supported | Supported | Supported | | ap-southeast-1 | Supported | Supported | Supported | | ap-southeast-2 | Supported | Supported | Supported | | ap-southeast-3 | Supported | Supported | Supported | | ap-southeast-5 | Supported | Supported | Supported | | ca-central-1 | Supported | Supported | Supported | | eu-central-1 | Supported | Supported | Supported | | eu-central-2 | Supported | Supported | Supported | | eu-north-1 | Supported | Supported | Supported | | eu-south-1 | Supported | Supported | Supported | | eu-south-2 | Supported | Supported | Supported | | eu-west-1 | Supported | Supported | Supported | | eu-west-2 | Supported | Supported | Supported | | eu-west-3 | Supported | Supported | Supported | | il-central-1 | Supported | Supported | Supported | | me-central-1 | Supported | Not supported | Not supported | | me-south-1 | Supported | Not supported | Not supported | | sa-east-1 | Supported | Supported | Supported |