AWS SageMaker endpoint data encryption at rest not configured
Description
This is a straight-forward check to ensure data encryption for Sagemaker notebooks, this check verifies that the cluster is encrypted with a Customer managed Key (CMK).
Code Example
go
resource "aws_sagemaker_endpoint_configuration" "example" {
...
name = "my-endpoint-config"
+ kms_key_arn = aws_kms_key.examplea.arn
production_variants {
variant_name = "variant-1"
model_name = aws_sagemaker_model.examplea.name
initial_instance_count = 1
instance_type = "ml.t2.medium"
}
...
}Remediation
AWS Console
There is no current way of enabling encryption on an existing notebook, it will need to be recreated. === Fix - Buildtime
Terraform
- Resource: aws_sagemaker_endpoint_configuration
- Arguments: kms_key_arn, specifying a KMS key will ensure data encryption. This modification will result in the resource being recreated.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0151 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_98 |