Skip to content

AWS SageMaker notebook instance is not configured with data encryption at rest using KMS key

Description

This is a straight-forward check to ensure data encryption for Sagemaker notebooks, this check verifies that the cluster is encrypted with a Customer managed Key (CMK).

Fix - Runtime

AWS Console

There is no current way of enabling encryption on an existing notebook, it will need to be recreated.

Fix - Buildtime

Terraform

  • **Resource: ** aws_sagemaker_endpoint_configuration
  • Argument: kms_key_arn, specifying a KMS key will ensure data encryption.

This modification will result in the resource being recreated.

resource "aws_sagemaker_endpoint_configuration" "example" {
  ...
  name        = "my-endpoint-config"
+ kms_key_arn = aws_kms_key.examplea.arn
  production_variants {
    variant_name           = "variant-1"
    model_name             = aws_sagemaker_model.examplea.name
    initial_instance_count = 1
    instance_type          = "ml.t2.medium"
  }
  ...
}