A company is preparing a lab playground of Amazon SageMaker notebooks for its Data Science team. A new security policy requires that the training data, stored in an Amazon S3 bucket, is confined within the AWS network only and must not be exposed to the public Internet. The company currently has Internet-enabled notebook instances that could possibly run malicious code that may compromise data privacy. How can the company achieve this?