Ensure SageMaker Notebook Instance Data Encryption is enabled

SageMaker is a fully-managed AWS service that enables developers and data engineers to quickly and easily build, train and deploy machine learning models at any scale. An AWS SageMaker notebook instance is a fully managed ML instance that is running the Jupyter Notebook open-source web application. It is highly recommended that the data stored on Machine Learning (ML) storage volumes attached to your AWS SageMaker notebook instances is encrypted in order to protect your data from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.

Risk Level: High
Cloud Entity: Amazon SageMaker
CloudGuard Rule ID: D9.AWS.CRY.35
Covered by Spectral: Yes
Category: Machine learning

GSL LOGIC

SageMakerNotebook should have kmsKey

REMEDIATION

From Portal
There is no possibility to enable encryption to an existing SageMaker instance. You need to re-create these with the necessary encryption configuration to ensure SageMaker notebook instances are encrypted. You can enable data-at-rest encryption and copy your existing data to it, perform the following actions.

  1. Log in to the AWS Management Console.
  2. Go to to SageMaker service dashboard at https://console.aws.amazon.com/sagemaker/.
  3. Click on 'Create notebook Instance'.
  4. Under 'Permissions and encryption' section, select the key from the Encryption key drop down. (select Enter a KMS key ARN option, then enter the full ARN of the AWS KMS default key)
  5. Complete the rest of the configurations and Create your notebook instance.

From TF

resource "aws_sagemaker_notebook_instance" "test" {
	name          = "my-notebook-instance"
	role_arn      = aws_iam_role.role.arn
	instance_type = "ml.t2.medium"
	+ kms_key_id = "KEY_ARN"
	
	tags = {
		Name = "foo"
	}
}

From Command Line

  1. We can not enable encryption to an existing SageMaker instance. Create a new notebook instance using below command to enable encryption for that instance.
    Note: --kms-key-id parameter will enable encryption for the required notebook instance.
aws sagemaker create-notebook-instance --notebook-instance-name INSTANCE_NAME --instance-type VALUE --kms-key-id KEY_ARN
  1. Copy your data from the old notebook instance to the newly created instance.
  2. Once data is copied, you can remove the old notebook instance using below command.
aws sagemaker delete-notebook-instance --notebook-instance-name INSTANCE_NAME

References

  1. https://docs.aws.amazon.com/sagemaker/latest/dg/howitworks-create-ws.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sagemaker/create-notebook-instance.html
  4. https://docs.aws.amazon.com/sagemaker/latest/dg/gs-setup-working-env.html

Amazon SageMaker

Amazon SageMaker provides every developer and data scientist with the ability to build, train, and deploy machine learning models quickly. Amazon SageMaker is a fully-managed service that covers the entire machine learning workflow to label and prepare your data, choose an algorithm, train the model, tune and optimize it for deployment, make predictions, and take action.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset