๐ก๏ธ AWS SageMaker Notebook Instance is not encrypted with a Customer-Managed KMS key๐ข
- Contextual name: ๐ก๏ธ Notebook Instance is not encrypted with a Customer-Managed KMS key๐ข
- ID:
/ce/ca/aws/sagemaker/notebook-instance-encryption-with-cmk - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Similar Policiesโ
- Cloud Conformity: Notebook Data Encrypted With KMS Customer Managed Keys
Descriptionโ
Descriptionโ
This policy identifies AWS SageMaker Notebook Instances that are not configured to use a Customer-Managed Key (CMK) from AWS Key Management Service (KMS) for encrypting data at rest. By default, SageMaker uses an AWS-managed key for encryption; however, leveraging a Customer-Managed Key offers enhanced control over key management and access policies.
Rationaleโ
Encrypting SageMaker notebook instance volumes with a Customer-Managed Key provides stronger security and compliance controls. It allows for full lifecycle management of the encryption key, including creation, rotation, and deactivation. Additionally, it enables fine-grained access controls and auditing of key usage, supporting adherence to organizational and regulatory data protection requirements.
Impactโ
Remediation requires provisioning a new SageMaker notebook instance configured with the desired Customer-Managed Key, as the encryption key of an existing instance cannot be modified. This process may involve migrating data from the current instance to the newly created one.
... see more
Remediationโ
Remediationโ
Enable Encryption for SageMaker Notebook Instances Using Customer-Managed KMS Keysโ
To remediate this violation, create a new SageMaker notebook instance configured with a Customer-Managed Key (CMK) from AWS KMS and migrate any required data from the existing unencrypted instance. The encryption key cannot be modified for an existing notebook instance.
From Command Lineโ
Create a new SageMaker notebook instance Ensure that the desired CMK already exists before running the following command:
aws sagemaker create-notebook-instance \
--notebook-instance-name {{new-instance-name}} \
--instance-type {{instance-type}} \
--role-arn {{iam-role-arn}} \
--kms-key-id {{kms-key-arn}}Migrate data and remove the non-compliant instance
- Once the new notebook instance is in the
InServicestate, transfer any data, notebooks, or configurations from the old instance.- Thoroughly test the new notebook instance to ensure all data has been migrated correctly and that it functions as expected.
... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ AWS Well-Architected โ ๐ผ SEC08-BP02 Enforce encryption at rest | 17 | no data | |||
| ๐ผ Cloudaware Framework โ ๐ผ Data Encryption | 57 | no data |