AWS SageMaker notebook instance not configured with data encryption at rest using KMS key
Description
Amazon SageMaker enables you to pass a KMS key to SageMaker notebooks, securing the following resources:
- Storage volume
- Processing jobs
- Training jobs
- Hyperparameter tuning jobs
- Batch transform jobs
- Endpoints
By applying encryption at-rest you ensure that the data stored on your AWS SageMaker notebook instances meet regulatory requirements and protect your SageMaker data at rest.
Code Example
{
" create-notebook-instance
--notebook-instance-name & lt;value>
--instance-type & lt;value>
--kms-key-id & lt;value>",
}Remediation
- AWS Console*
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/sagemaker/ [Amazon SageMaker console].
. Select Notebook instances, then click * Create Notebook Instance*.
. On the Create Notebook Instance page, provide the required information.
. The * Encryption key* lets you encrypt data on the ML storage volume attached to the notebook instance using an AWS Key Management Service (AWS KMS) key. + If you plan to store sensitive information on the ML storage volume, consider encrypting the information.
- CLI Command*
To create a SageMaker notebook instance:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0076 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_22 |