Skip to content

AWS SageMaker notebook instance is not configured with data encryption at rest using KMS key

Description

This is a straight-forward check to ensure data encryption for Sagemaker notebooks, this check verifies that the cluster is encrypted with a Customer managed Key (CMK).

Fix - Runtime

AWS Console

There is no current way of enabling encryption on an existing notebook, it will need to be recreated.

Fix - Buildtime

Terraform

  • **Resource: ** aws_sagemaker_endpoint_configuration
  • Argument: kms_key_arn, specifying a KMS key will ensure data encryption.

This modification will result in the resource being recreated.

go aws_sagemaker_endpoint_configuration.examplea.tf resource "aws_sagemaker_endpoint_configuration" "example" { ... name = "my-endpoint-config" + kms_key_arn = aws_kms_key.examplea.arn production_variants { variant_name = "variant-1" model_name = aws_sagemaker_model.examplea.name initial_instance_count = 1 instance_type = "ml.t2.medium" } ... }