π‘οΈ AWS SageMaker Notebook Instance is not encrypted with a Customer-Managed KMS keyπ’
- Contextual name: π‘οΈ Notebook Instance is not encrypted with a Customer-Managed KMS keyπ’
- ID:
/ce/ca/aws/sagemaker/notebook-instance-encryption-with-cmk - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- Cloud Conformity: Notebook Data Encrypted With KMS Customer Managed Keys
Descriptionβ
Descriptionβ
This policy identifies AWS SageMaker Notebook Instances that are not configured to use a Customer-Managed Key (CMK) from AWS Key Management Service (KMS) for encrypting data at rest. By default, SageMaker uses an AWS-managed key for encryption; however, using a Customer-Managed Key provides enhanced control over key management and access policies.
Rationaleβ
Encrypting SageMaker notebook instance volumes with a Customer-Managed Key provides stronger security and compliance controls. It allows for full lifecycle management of the encryption key, including creation, rotation, and deactivation. It also enables fine-grained access controls and auditing of key usage, supporting adherence to organizational and regulatory data protection requirements.
Impactβ
Remediation requires provisioning a new SageMaker notebook instance configured with the desired Customer-Managed Key, as the encryption key of an existing instance cannot be modified. This process may involve migrating data from the current instance to the newly created one.
... see more
Remediationβ
Remediationβ
Enable Encryption for SageMaker Notebook Instances Using Customer-Managed KMS Keysβ
To remediate this violation, create a new SageMaker notebook instance configured with a Customer-Managed Key (CMK) from AWS KMS and migrate any required data from the existing unencrypted instance. The encryption key cannot be modified for an existing notebook instance.
From Command Lineβ
Create a new SageMaker notebook instance Ensure that the desired CMK already exists before running the following command:
aws sagemaker create-notebook-instance \
--notebook-instance-name {{new-instance-name}} \
--instance-type {{instance-type}} \
--role-arn {{iam-role-arn}} \
--kms-key-id {{kms-key-arn}}Migrate data and remove the incompliant instance
- Once the new notebook instance is in the
InServicestate, transfer any data, notebooks, or configurations from the old instance.- Thoroughly test the new notebook instance to ensure all data has been migrated correctly and that it functions as expected.
... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Well-Architected β πΌ SEC08-BP02 Enforce encryption at rest | 20 | no data | |||
| πΌ Cloudaware Framework β πΌ Data Encryption | 70 | no data |