AWS SageMaker Flow Definition does not use KMS for output configurations
Description
This policy checks whether Amazon SageMaker Flow Definitions leverage Key Management Service (KMS) for output configurations. Unencrypted outputs expose sensitive data, increasing the risk of unauthorized access and breaches. KMS ensures data security by encrypting it before storage and physically separating the storage of key material. This strengthens your security posture and adheres to data protection regulations.
Code Example
hcl
resource "aws_sagemaker_flow_definition" "example" {
...
output_config {
+ kms_key_id = "example"
}
}Remediation
Terraform
- Resource: aws_sagemaker_flow_definition
- Arguments: output_config/kms_key_id
Add a KMS key to your SageMaker Flow Definition output configurations, by defining a `kms_key_id` property in the `output_config` block of your AWS SageMaker Flow Definition.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0419 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan, CloudFormation |
| Checkov ID | CKV_AWS_372 |