AWS Sagemaker Data Quality Job not using KMS to encrypt data on attached storage volume
Description
This policy checks whether Amazon SageMaker Data Quality Jobs leverage AWS Key Management Service (KMS) to encrypt data on the attached storage volume. KMS encryption is crucial to safeguard sensitive information as it encrypts data on storage volumes attached to the Sagemaker instance. This prevents unauthorized access and data breaches and helps ensure compliance with regulations requiring the protection of specific data types.
Code Example
go
resource "aws_sagemaker_data_quality_job_definition" "example" {
...
job_resources {
cluster_config {
...
+ volume_kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-volume-kms-key-id"
}
}
}Remediation
Terraform
- Resource: aws_sagemaker_monitoring_schedule
- Arguments: job_resources/cluster_config/volume_kms_key_id
Provide a `volume_kms_key_id` attribute in your `aws_sagemaker_monitoring_schedule` of your Terraform configuration file to enable encryption using AWS KMS, as displayed in the example below.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0415 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | Terraform, TerraformPlan, CloudFormation |
| Checkov ID | CKV_AWS_368 |