🛡️ AWS SageMaker Endpoint Config does not specify a KMS key🟢

Contextual name: 🛡️ Endpoint Config does not specify a KMS key🟢
ID: /ce/ca/aws/sagemaker/endpoint-config-encryption-with-kms
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS SageMaker Endpoint Config
- 🔌 AWS SageMaker Endpoint Config - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Endpoints Encrypted With KMS Customer Managed Keys

Description

Description

This policy identifies AWS SageMaker Endpoint Configurations that do not use an AWS KMS customer-managed key (CMK) for storage encryption.

Rationale

By default, the storage volume for a SageMaker endpoint is encrypted with a temporary, Amazon-managed key. Using a customer-managed KMS key provides an additional layer of security and control. It enables you to manage the key lifecycle, define access policies, and audit key usage, which is critical for protecting sensitive machine learning models and associated data.

Audit

This policy flags an AWS SageMaker Endpoint Config as INCOMPLIANT if the KMS Key ID field is empty.

Remediation

Open File

Remediation

Enable Encryption for SageMaker Endpoints Using Customer-Managed KMS Keys

Existing SageMaker endpoint configurations cannot be directly modified to add encryption. To enable encryption with a customer-managed KMS key, create a new endpoint configuration with the desired KMS key and update the endpoint to use it.

From Command Line
Retrieve the existing endpoint configuration to obtain the ProductionVariants details.

Save the ProductionVariants array to a file named production-variants.json:
aws sagemaker describe-endpoint-config \
    --endpoint-config-name {{old-config-name}} \
    --query 'ProductionVariants' \
    --output json > production-variants.json
Example production-variants.json content:
[
    {
        "VariantName": "AllTraffic",
        "ModelName": "model-name",
        "InitialInstanceCount": 1,
        "InstanceType": "ml.t2.medium",
        "InitialVariantWeight": 1.0
    }
]
Create a new endpoint configuration with the KMS key:
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			20		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enable Encryption for SageMaker Endpoints Using Customer-Managed KMS Keys​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Enable Encryption for SageMaker Endpoints Using Customer-Managed KMS Keys

From Command Line

policy.yaml

Linked Framework Sections