🛡️ AWS SageMaker Endpoint Config does not specify a KMS key🟢

• Contextual name: 🛡️ Endpoint Config does not specify a KMS key🟢
• ID: /ce/ca/aws/sagemaker/endpoint-config-encryption-with-kms
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS SageMaker Endpoint Config
  • 🔌 AWS SageMaker Endpoint Config - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Endpoints Encrypted With KMS Customer Managed Keys

Description

Open File

Description

This policy identifies AWS SageMaker Endpoint Configurations that do not use an AWS KMS customer-managed key (CMK) for storage encryption.

Rationale

By default, the storage volume for a SageMaker endpoint is encrypted with a temporary, Amazon-managed key. Using a customer-managed KMS key provides an additional layer of security and control. It enables you to manage the key lifecycle, define access policies, and audit key usage, which is critical for protecting sensitive machine learning models and associated data.

Audit

This policy flags an AWS SageMaker Endpoint Configs as INCOMPLIANT if the KMS Key ID field is empty.

Remediation

Open File

Remediation

Enable Encryption for SageMaker Endpoints Using Customer-Managed KMS Keys

Existing SageMaker endpoint configurations cannot be directly modified to add encryption. To enable encryption with a customer-managed KMS key, create a new endpoint configuration with the desired KMS key and update the endpoint to use it.

From Command Line

1. Retrieve the existing endpoint configuration to obtain the ProductionVariants details.

   Save the ProductionVariants array to a file named production-variants.json:

   aws sagemaker describe-endpoint-config \
       --endpoint-config-name {{old-config-name}} \
       --query 'ProductionVariants' \
       --output json > production-variants.json

   Example production-variants.json content:

   [
       {
           "VariantName": "AllTraffic",
           "ModelName": "model-name",
           "InitialInstanceCount": 1,
           "InstanceType": "ml.t2.medium",
           "InitialVariantWeight": 1.0
       }
   ]

2. Create a new endpoint configuration with the KMS key:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			14		no data
💼 Cloudaware Framework → 💼 Data Encryption			54		no data