Remediation

Enable Encryption for SageMaker Endpoints Using Customer-Managed KMS Keys

Existing SageMaker endpoint configurations cannot be directly modified to add encryption. To enable encryption with a customer-managed KMS key, create a new endpoint configuration with the desired KMS key and update the endpoint to use it.

From Command Line

Retrieve the existing endpoint configuration to obtain the ProductionVariants details.

Save the ProductionVariants array to a file named production-variants.json:

aws sagemaker describe-endpoint-config \
    --endpoint-config-name {{old-config-name}} \
    --query 'ProductionVariants' \
    --output json > production-variants.json

Example production-variants.json content:

[
    {
        "VariantName": "AllTraffic",
        "ModelName": "model-name",
        "InitialInstanceCount": 1,
        "InstanceType": "ml.t2.medium",
        "InitialVariantWeight": 1.0
    }
]

Create a new endpoint configuration with the KMS key:

aws sagemaker create-endpoint-config \
    --endpoint-config-name {{new-encrypted-config-name}} \
    --production-variants file://production-variants.json \
    --kms-key-id {{kms-key-arn}}

Update the endpoint to use the new configuration.

The endpoint will enter the Updating state and may experience brief downtime during the transition:
```
aws sagemaker update-endpoint \
    --endpoint-name {{endpoint-name}} \
    --endpoint-config-name {{new-encrypted-config-name}}
```
After confirming that the endpoint is functioning with the new configuration, delete the old, unencrypted endpoint configuration to prevent accidental reuse:
```
aws sagemaker delete-endpoint-config \
    --endpoint-config-name {{old-config-name}}
```

Enable Encryption for SageMaker Endpoints Using Customer-Managed KMS Keys​

From Command Line​

Enable Encryption for SageMaker Endpoints Using Customer-Managed KMS Keys

From Command Line