AWS Sagemaker domain not encrypted using Customer Managed Key
Description
Amazon SageMaker Feature Store enables you to create two types of stores: an online store or offline store. The online store is used for low latency real-time inference use cases whereas the offline store is used for training and batch inference use cases. When you create a feature group for online or offline use you can provide a AWS Key Management Service customer managed key to encrypt all your data at rest. In case you do not provide a AWS KMS key then we ensure that your data is encrypted on the server side using an AWS owned AWS KMS key or AWS managed AWS KMS key.
Code Example
go
resource "aws_sagemaker_domain" "example" {
...
+ kms_key_id = "ckv_kms"
}Remediation
Terraform
To fix this issue, ensure that the `kms_key_id` property in the `aws_sagemaker_domain` resource is set to a valid KMS key ARN or key ID.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0236 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_187 |