Data stored in SageMaker is not securely encrypted at rest
Description
Amazon SageMaker enables you to pass a KMS key to SageMaker notebooks, securing the following resources:
- Storage volume
- Processing jobs
- Training jobs
- Hyperparameter tuning jobs
- Batch transform jobs
- Endpoints
By applying encryption at-rest you ensure that the data stored on your AWS SageMaker notebook instances meet regulatory requirements and protect your SageMaker data at rest.
Fix - Runtime
AWS Console
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon SageMaker console.
- Select Notebook instances, then click Create Notebook Instance.
- On the Create Notebook Instance page, provide the required information.
- The Encryption key lets you encrypt data on the ML storage volume attached to the notebook instance using an AWS Key Management Service (AWS KMS) key. If you plan to store sensitive information on the ML storage volume, consider encrypting the information.
CLI Command
To create a SageMaker notebook instance:
create-notebook-instance
--notebook-instance-name <value>
--instance-type <value>
--kms-key-id <value>
Fix - Buildtime
Terraform
- Resource: aws_sagemaker_notebook_instance
- Attribute: kms_key_id - (Optional) The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.
resource "aws_sagemaker_notebook_instance" "example" {
...
name = "my-notebook-instance"
+ kms_key_id = <value>
...
}